Hi,
I've configured Fail2Ban (0.8.13 Debian Jessie) and it is working fine for
ProFTPd and SSH, unfortunately for some reason it doesn't work with
Apache/ModSecurity logs.
All Apache logs are under /var/log/apache2 and all Apache logs have file names
in format:
domain_custom.log
domain_error.log
whilst ModSecurity audit log is under
/var/log/apache2/modsecurity/modsec_audit.log
Both Apache error log and modsec_audit.log are full of many nasty attempts:
domain_error.log:
[Thu Oct 06 10:29:16.806118 2016] [:error] [pid 59241] [client 118.140.253.98]
ModSecurity: Access denied with code 403 (phase 2). Pattern match
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
at REQUEST_COOKIES:OutlookSession. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"] [data "Matched
Data: \\x22 found within REQUEST_COOKIES:OutlookSession:
\\x22{A5B17B05-EE3D-452F-A844-308B72D9DFA4}\\x22"] [severity "CRITICAL"] [ver
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname
"domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id
"V-YZbH8AAQEAAOdpD6MAAAAJ"]
[Thu Oct 06 10:30:58.329992 2016] [:error] [pid 59476] [client
207.46.13.150:7332] PHP Fatal error: Call to a member function color() on
boolean in /var/www/www.domain.com/site/snippets/header.php on line 53
modsec_audit.log:
--1c9d510a-Z--
--af3c8e0f-A--
[06/Oct/2016:10:23:55 +0100] V-YYK38AAQEAAOWEJk8AAAAK 118.140.253.98 61223 IP
443
--af3c8e0f-B--
POST /autodiscover/autodiscover.xml HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml
Authorization: Bearer
Cookie: OutlookSession="{138CA3CB-3E39-4AF0-9E4F-BBF5F68D880F}"
User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook
16.0.7127; Pro)
X-MS-CookieUri-Requested: t
X-FeatureVersion: 1
Client-Request-Id: {16437973-34B0-4BEF-90F7-60362A1E9187}
X-User-Identity: [email protected]
X-MapiHttpCapability: 1
Depth: 0
X-AnchorMailbox: [email protected]
Content-Length: 353
Host: domain.com
--af3c8e0f-F--
HTTP/1.1 403 Forbidden
Strict-Transport-Security: max-age=15768000
Content-Length: 238
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--af3c8e0f-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /autodiscover/autodiscover.xml
on this server.<br />
</p>
</body></html>
--af3c8e0f-H--
Message: Access denied with code 403 (phase 2). Pattern match
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
at REQUEST_COOKIES:OutlookSession. [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"] [data "Matched Data: \x22 found within
REQUEST_COOKIES:OutlookSession:
\x22{138CA3CB-3E39-4AF0-9E4F-BBF5F68D880F}\x22"] [severity "CRITICAL"] [ver
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Stopwatch: 1475745835994120 1159 (- - -)
Stopwatch2: 1475745835994120 1159; combined=186, p1=131, p2=52, p3=0, p4=0,
p5=3, sr=33, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"
--af3c8e0f-Z--
jail.conf:
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 3
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[apache-modsecurity]
enabled = true
filter = apache-modsecurity
port = http,https
#logpath = /var/log/apache2/modsecurity/modsec_audit.log
logpath = /var/log/apache2/*error.log
maxretry = 2
[apache-nohome]
enabled = true
filter = apache-nohome
port = http,https
logpath = /var/log/apache*/*_error.log
maxretry = 2
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
