new apache-scan fail2ban filter

This commit is contained in:
Matthew Saunders Brown 2023-05-05 15:07:47 -07:00
parent 2592e4b8e3
commit 8f191a2470
3 changed files with 33 additions and 1 deletions

View File

@ -0,0 +1,13 @@
# Fail2ban filter: /etc/fail2ban/filter.d/apache-scan.conf:
#
# Block IPs scanning for vulnerabilities and/or sensitive data
#
# Matches e.g.
# exampledomain.com 12.34.56.78 - - [04/May/2023:04:20:00 -0700] "GET /.env HTTP/1.1" 404 317 "-" "Go-http-client/1.1"
#
[Definition]
failregex = [\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "GET /.DS_Store HTTP
[\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "GET /.env HTTP
[\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "GET /.git/config HTTP
ignoreregex =

View File

@ -0,0 +1,8 @@
[apache-scan]
enabled = true
port = http,https
filter = apache-scan
logpath = /var/log/apache2/access.log tail
bantime = 3600
findtime = 60
maxretry = 1

View File

@ -173,6 +173,17 @@ find /srv/www/html/phpMyAdmin -type d -exec chmod 755 {} +
find /srv/www/html/phpMyAdmin -type f -exec chmod 644 {} +
chown -R vhost:vhost /srv/www/html/phpMyAdmin
# fail2ban
if [[ -d /etc/fail2ban/ ]]; then
chmod 644 etc/fail2ban/*/*.conf
cp -a etc/fail2ban/* /etc/fail2ban/
if systemctl is-active --quiet fail2ban ; then
systemctl restart fail2ban
fi
else
echo "NOTICE: fail2ban not installed, skipping"
fi
# jailkit
DEBIAN_FRONTEND=noninteractive apt-get -y install jailkit
sed -i 's|paths = ssh|paths = /usr/bin/ssh*|' /etc/jailkit/jk_init.ini
@ -242,6 +253,6 @@ if [[ -d /etc/firewalld/ ]]; then
firewall-cmd --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=https
else
echo "firewalld not installed, not opening http ports in firewall."
echo "NOTICE: firewalld not installed, not opening http ports in firewall."
fi