From 8f191a24705795495ccd21061958c2724768efdd Mon Sep 17 00:00:00 2001 From: Matthew Saunders Brown Date: Fri, 5 May 2023 15:07:47 -0700 Subject: [PATCH] new apache-scan fail2ban filter --- etc/fail2ban/filter.d/apache-scan.conf | 13 +++++++++++++ etc/fail2ban/jail.d/apache-scan.conf | 8 ++++++++ install.sh | 13 ++++++++++++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 etc/fail2ban/filter.d/apache-scan.conf create mode 100644 etc/fail2ban/jail.d/apache-scan.conf diff --git a/etc/fail2ban/filter.d/apache-scan.conf b/etc/fail2ban/filter.d/apache-scan.conf new file mode 100644 index 0000000..aaa2528 --- /dev/null +++ b/etc/fail2ban/filter.d/apache-scan.conf @@ -0,0 +1,13 @@ +# Fail2ban filter: /etc/fail2ban/filter.d/apache-scan.conf: +# +# Block IPs scanning for vulnerabilities and/or sensitive data +# +# Matches e.g. +# exampledomain.com 12.34.56.78 - - [04/May/2023:04:20:00 -0700] "GET /.env HTTP/1.1" 404 317 "-" "Go-http-client/1.1" +# +[Definition] +failregex = [\w\.\-]+ [\w\.\-]+ [\w\.\-]+ .*] "GET /.DS_Store HTTP + [\w\.\-]+ [\w\.\-]+ [\w\.\-]+ .*] "GET /.env HTTP + [\w\.\-]+ [\w\.\-]+ [\w\.\-]+ .*] "GET /.git/config HTTP + +ignoreregex = diff --git a/etc/fail2ban/jail.d/apache-scan.conf b/etc/fail2ban/jail.d/apache-scan.conf new file mode 100644 index 0000000..19d835d --- /dev/null +++ b/etc/fail2ban/jail.d/apache-scan.conf @@ -0,0 +1,8 @@ +[apache-scan] +enabled = true +port = http,https +filter = apache-scan +logpath = /var/log/apache2/access.log tail +bantime = 3600 +findtime = 60 +maxretry = 1 diff --git a/install.sh b/install.sh index 92aee20..3dd3e1f 100755 --- a/install.sh +++ b/install.sh @@ -173,6 +173,17 @@ find /srv/www/html/phpMyAdmin -type d -exec chmod 755 {} + find /srv/www/html/phpMyAdmin -type f -exec chmod 644 {} + chown -R vhost:vhost /srv/www/html/phpMyAdmin +# fail2ban +if [[ -d /etc/fail2ban/ ]]; then + chmod 644 etc/fail2ban/*/*.conf + cp -a etc/fail2ban/* /etc/fail2ban/ + if systemctl is-active --quiet fail2ban ; then + systemctl restart fail2ban + fi +else + echo "NOTICE: fail2ban not installed, skipping" +fi + # jailkit DEBIAN_FRONTEND=noninteractive apt-get -y install jailkit sed -i 's|paths = ssh|paths = /usr/bin/ssh*|' /etc/jailkit/jk_init.ini @@ -242,6 +253,6 @@ if [[ -d /etc/firewalld/ ]]; then firewall-cmd --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=https else - echo "firewalld not installed, not opening http ports in firewall." + echo "NOTICE: firewalld not installed, not opening http ports in firewall." fi