[Fail2ban-users] Odp: Re: Fail2Ban won't block/read ModSecurity detections.

kamil kapturkiewicz Thu, 06 Oct 2016 06:11:00 -0700

Hi Nick,
I've changed logpath in

[apache-modsecurity]
enabled  = true
filter   = apache-modsecurity
port     = http,https
#logpath  = /var/log/apache2/modsecurity/modsec_audit.log
logpath  = /var/log/apache2/*error.log
maxretry = 2


to  /var/log/apache*/*error.log, to be honest I don't think that was a problem.

Then restarted fail2ban:

2016-10-06 13:46:54,941 fail2ban.server [511]: INFO    Changed logging target 
to /var/log/fail2ban.log for Fail2ban v0.8.13
2016-10-06 13:46:54,941 fail2ban.jail   [511]: INFO    Creating new jail 'ssh'
2016-10-06 13:46:54,963 fail2ban.jail   [511]: INFO    Jail 'ssh' uses pyinotify
2016-10-06 13:46:54,983 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:54,984 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/auth.log
2016-10-06 13:46:54,984 fail2ban.filter [511]: INFO    Set maxRetry = 3
2016-10-06 13:46:54,986 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:54,986 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,016 fail2ban.jail   [511]: INFO    Creating new jail 
'ssh-ddos'
2016-10-06 13:46:55,017 fail2ban.jail   [511]: INFO    Jail 'ssh-ddos' uses 
pyinotify
2016-10-06 13:46:55,021 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:55,022 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/auth.log
2016-10-06 13:46:55,023 fail2ban.filter [511]: INFO    Set maxRetry = 3
2016-10-06 13:46:55,024 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:55,025 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,029 fail2ban.jail   [511]: INFO    Creating new jail 
'apache'
2016-10-06 13:46:55,029 fail2ban.jail   [511]: INFO    Jail 'apache' uses 
pyinotify
2016-10-06 13:46:55,034 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:55,037 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/apache2/www.domain.com_error.log
2016-10-06 13:46:55,040 fail2ban.filter [511]: INFO    Set maxRetry = 3
2016-10-06 13:46:55,041 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:55,042 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,063 fail2ban.jail   [511]: INFO    Creating new jail 
'apache-noscript'
2016-10-06 13:46:55,063 fail2ban.jail   [511]: INFO    Jail 'apache-noscript' 
uses pyinotify
2016-10-06 13:46:55,068 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:55,070 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/apache2/www.domain.com_error.log
2016-10-06 13:46:55,074 fail2ban.filter [511]: INFO    Set maxRetry = 3
2016-10-06 13:46:55,075 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:55,076 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,082 fail2ban.jail   [511]: INFO    Creating new jail 
'apache-overflows'
2016-10-06 13:46:55,082 fail2ban.jail   [511]: INFO    Jail 'apache-overflows' 
uses pyinotify
2016-10-06 13:46:55,087 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:55,089 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/apache2/www.domain.com_error.log
2016-10-06 13:46:55,093 fail2ban.filter [511]: INFO    Set maxRetry = 2
2016-10-06 13:46:55,095 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:55,095 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,100 fail2ban.jail   [511]: INFO    Creating new jail 
'apache-modsecurity'
2016-10-06 13:46:55,100 fail2ban.jail   [511]: INFO    Jail 
'apache-modsecurity' uses pyinotify
2016-10-06 13:46:55,104 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:55,106 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/apache2/www.domain.com_error.log
2016-10-06 13:46:55,110 fail2ban.filter [511]: INFO    Set maxRetry = 2
2016-10-06 13:46:55,112 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:55,112 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,116 fail2ban.jail   [511]: INFO    Creating new jail 
'apache-nohome'
2016-10-06 13:46:55,116 fail2ban.jail   [511]: INFO    Jail 'apache-nohome' 
uses pyinotify
2016-10-06 13:46:55,120 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:55,122 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/apache2/www.domain.com_error.log
2016-10-06 13:46:55,125 fail2ban.filter [511]: INFO    Set maxRetry = 2
2016-10-06 13:46:55,127 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:55,127 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,131 fail2ban.jail   [511]: INFO    Creating new jail 
'proftpd'
2016-10-06 13:46:55,131 fail2ban.jail   [511]: INFO    Jail 'proftpd' uses 
pyinotify
2016-10-06 13:46:55,135 fail2ban.jail   [511]: INFO    Initiated 'pyinotify' 
backend
2016-10-06 13:46:55,136 fail2ban.filter [511]: INFO    Added logfile = 
/var/log/proftpd/proftpd.log
2016-10-06 13:46:55,137 fail2ban.filter [511]: INFO    Set maxRetry = 5
2016-10-06 13:46:55,139 fail2ban.filter [511]: INFO    Set findtime = 200
2016-10-06 13:46:55,139 fail2ban.actions[511]: INFO    Set banTime = 7200
2016-10-06 13:46:55,151 fail2ban.jail   [511]: INFO    Jail 'ssh' started
2016-10-06 13:46:55,154 fail2ban.jail   [511]: INFO    Jail 'ssh-ddos' started
2016-10-06 13:46:55,155 fail2ban.jail   [511]: INFO    Jail 'apache' started
2016-10-06 13:46:55,156 fail2ban.jail   [511]: INFO    Jail 'apache-noscript' 
started
2016-10-06 13:46:55,158 fail2ban.jail   [511]: INFO    Jail 'apache-overflows' 
started
2016-10-06 13:46:55,159 fail2ban.jail   [511]: INFO    Jail 
'apache-modsecurity' started
2016-10-06 13:46:55,161 fail2ban.jail   [511]: INFO    Jail 'apache-nohome' 
started
2016-10-06 13:46:55,163 fail2ban.jail   [511]: INFO    Jail 'proftpd' started

And it still doesn't work:

[Thu Oct 06 14:00:14.333956 2016] [:error] [pid 1769] [client 39.32.198.121] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match 
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
 at REQUEST_COOKIES:OutlookSession. [file 
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common 
Injection Testing Detected"] [data "Matched 
Data: \\x22 found within REQUEST_COOKIES:OutlookSession: 
\\x22{3F5E78D0-D2A5-48C5-B6E5-17433746E702}\\x22"] [severity "CRITICAL"] [ver 
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag 
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname 
"domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id 
"V-ZK3n8AAQEAAAbpDGgAAAAE"]
[Thu Oct 06 14:00:23.942298 2016] [:error] [pid 1802] [client 39.32.198.121] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match 
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
 at REQUEST_COOKIES:OutlookSession. [file 
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common 
Injection Testing Detected"] [data "Matched 
Data: \\x22 found within REQUEST_COOKIES:OutlookSession: 
\\x22{3F5E78D0-D2A5-48C5-B6E5-17433746E702}\\x22"] [severity "CRITICAL"] [ver 
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag 
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname 
"domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id 
"V-ZK538AAQEAAAcKZxAAAAAO"]
[Thu Oct 06 14:00:33.463946 2016] [:error] [pid 1769] [client 39.32.198.121] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match 
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
 at REQUEST_COOKIES:OutlookSession. [file 
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common 
Injection Testing Detected"] [data "Matched 
Data: \\x22 found within REQUEST_COOKIES:OutlookSession: 
\\x22{3F5E78D0-D2A5-48C5-B6E5-17433746E702}\\x22"] [severity "CRITICAL"] [ver 
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag 
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname 
"domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id 
"V-ZK8X8AAQEAAAbpDGkAAAAE"]
[Thu Oct 06 14:00:52.211259 2016] [:error] [pid 1766] [client 39.32.198.121] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match 
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
 at REQUEST_COOKIES:OutlookSession. [file 
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common 
Injection Testing Detected"] [data "Matched 
Data: \\x22 found within REQUEST_COOKIES:OutlookSession: 
\\x22{3F5E78D0-D2A5-48C5-B6E5-17433746E702}\\x22"] [severity "CRITICAL"] [ver 
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag 
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname 
"domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id 
"V-ZLBH8AAQEAAAbmEUsAAAAB"]
[Thu Oct 06 14:01:48.862983 2016] [:error] [pid 2028] [client 39.32.198.121] 
ModSecurity: Access denied with code 403 (phase 2). Pattern match 
"(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
 at REQUEST_COOKIES:OutlookSession. [file 
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common 
Injection Testing Detected"] [data "Matched 
Data: \\x22 found within REQUEST_COOKIES:OutlookSession: 
\\x22{3F5E78D0-D2A5-48C5-B6E5-17433746E702}\\x22"] [severity "CRITICAL"] [ver 
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag 
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag 
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname 
"domain.com"] [uri "/autodiscover/autodiscover.xml"] [unique_id 
"V-ZLPH8AAQEAAAfsmmEAAAAI"]

And Fail2Ban won't catch it. Maybe the problem is withe the rule?

failregex = ^%(_apache_error_client)s ModSecurity:  (\[.*?\] )*Access denied 
with code [45]\d\d.*$

shouldn't be [40] instead?

Dnia Czwartek, 6 Października 2016 13:35 Nick Howitt <[email protected]> 
napisał(a) 
> If the logs are in /var/log/apache2 why not specify it instead of 
> /var/log/apache*?
> 
> The jails on their own mean little without the relevant filters.
> 
> Filters on modsec_audit.log will struggle because it is a multi-line log 
> and anything you match on must contain the IP address. That appears only 
> once for your long error report.
> 
> FWIW your apache and apache-multiport jails are identical so one should 
> be disabled as it is a waste of time.
> 
> On 2016-10-06 10:35, kamil kapturkiewicz wrote:
> > Hi,
> > I've configured Fail2Ban (0.8.13 Debian Jessie) and it is working fine
> > for ProFTPd and SSH, unfortunately for some reason it doesn't work
> > with Apache/ModSecurity logs.
> > 
> > All Apache logs are under /var/log/apache2 and all Apache logs have
> > file names in format:
> > 
> > domain_custom.log
> > domain_error.log
> > 
> > whilst ModSecurity audit log is under
> > /var/log/apache2/modsecurity/modsec_audit.log
> > 
> > Both Apache error log and modsec_audit.log are full of many nasty 
> > attempts:
> > 
> > domain_error.log:
> > [Thu Oct 06 10:29:16.806118 2016] [:error] [pid 59241] [client
> > 118.140.253.98] ModSecurity: Access denied with code 403 (phase 2).
> > Pattern match
> > "(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
> > at REQUEST_COOKIES:OutlookSession. [file
> > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> > [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
> > Injection Testing Detected"] [data "Matched
> > Data: \\x22 found within REQUEST_COOKIES:OutlookSession:
> > \\x22{A5B17B05-EE3D-452F-A844-308B72D9DFA4}\\x22"] [severity
> > "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
> > [hostname "domain.com"] [uri "/autodiscover/autodiscover.xml"]
> > [unique_id "V-YZbH8AAQEAAOdpD6MAAAAJ"]
> > [Thu Oct 06 10:30:58.329992 2016] [:error] [pid 59476] [client
> > 207.46.13.150:7332] PHP Fatal error:  Call to a member function
> > color() on boolean in /var/www/www.domain.com/site/snippets/header.php
> > on line 53
> > 
> > 
> > 
> > modsec_audit.log:
> > --1c9d510a-Z--
> > 
> > --af3c8e0f-A--
> > [06/Oct/2016:10:23:55 +0100] V-YYK38AAQEAAOWEJk8AAAAK 118.140.253.98
> > 61223 IP 443
> > --af3c8e0f-B--
> > POST /autodiscover/autodiscover.xml HTTP/1.1
> > Cache-Control: no-cache
> > Connection: Keep-Alive
> > Pragma: no-cache
> > Content-Type: text/xml
> > Authorization: Bearer
> > Cookie: OutlookSession="{138CA3CB-3E39-4AF0-9E4F-BBF5F68D880F}"
> > User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook
> > 16.0.7127; Pro)
> > X-MS-CookieUri-Requested: t
> > X-FeatureVersion: 1
> > Client-Request-Id: {16437973-34B0-4BEF-90F7-60362A1E9187}
> > X-User-Identity: [email protected]
> > X-MapiHttpCapability: 1
> > Depth: 0
> > X-AnchorMailbox: [email protected]
> > Content-Length: 353
> > Host: domain.com
> > 
> > --af3c8e0f-F--
> > HTTP/1.1 403 Forbidden
> > Strict-Transport-Security: max-age=15768000
> > Content-Length: 238
> > Keep-Alive: timeout=5, max=100
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=iso-8859-1
> > 
> > --af3c8e0f-E--
> > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> > <html><head>
> > <title>403 Forbidden</title>
> > </head><body>
> > <h1>Forbidden</h1>
> > <p>You don't have permission to access /autodiscover/autodiscover.xml
> > on this server.<br />
> > </p>
> > </body></html>
> > 
> > --af3c8e0f-H--
> > Message: Access denied with code 403 (phase 2). Pattern match
> > "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
> > at REQUEST_COOKIES:OutlookSession. [file
> > "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> > [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
> > Injection Testing Detected"] [data "Matched Data: \x22 found within
> > REQUEST_COOKIES:OutlookSession:
> > \x22{138CA3CB-3E39-4AF0-9E4F-BBF5F68D880F}\x22"] [severity "CRITICAL"]
> > [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> > "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> > "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
> > Action: Intercepted (phase 2)
> > Stopwatch: 1475745835994120 1159 (- - -)
> > Stopwatch2: 1475745835994120 1159; combined=186, p1=131, p2=52, p3=0,
> > p4=0, p5=3, sr=33, sw=0, l=0, gc=0
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/);
> > OWASP_CRS/2.2.9.
> > Server: Apache
> > Engine-Mode: "ENABLED"
> > 
> > --af3c8e0f-Z--
> > 
> > jail.conf:
> > 
> > [apache]
> > enabled  = true
> > port     = http,https
> > filter   = apache-auth
> > logpath  = /var/log/apache*/*error.log
> > maxretry = 3
> > 
> > [apache-multiport]
> > enabled   = true
> > port      = http,https
> > filter    = apache-auth
> > logpath   = /var/log/apache*/*error.log
> > maxretry  = 3
> > 
> > [apache-noscript]
> > enabled  = true
> > port     = http,https
> > filter   = apache-noscript
> > logpath  = /var/log/apache*/*error.log
> > maxretry = 3
> > 
> > [apache-overflows]
> > enabled  = true
> > port     = http,https
> > filter   = apache-overflows
> > logpath  = /var/log/apache*/*error.log
> > maxretry = 2
> > 
> > [apache-modsecurity]
> > enabled  = true
> > filter   = apache-modsecurity
> > port     = http,https
> > #logpath  = /var/log/apache2/modsecurity/modsec_audit.log
> > logpath  = /var/log/apache2/*error.log
> > maxretry = 2
> > 
> > [apache-nohome]
> > enabled  = true
> > filter   = apache-nohome
> > port     = http,https
> > logpath  = /var/log/apache*/*_error.log
> > maxretry = 2
> > 
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Fail2ban-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Odp: Re: Fail2Ban won't block/read ModSecurity detections.

Reply via email to