0

I'm trying to configure a regex for fail2ban for apache2 access.log.

If I browse to "https://mywebsite.com/%69%6E%64%65%78.%68%74%6D%6C" in brings me to the index.html page and this is ok. This happens server-side because in the access.log this line is being saved: "GET /%69%6E%64%65%78.%68%74%6D%6C HTTP/2.0" 200 270 "-".

The problem is that this test check fails:

sudo fail2ban-regex -vvv '1.1.1.1 /%69%6E%64%65%78.%68%74%6D%6C' '<HOST>.*index' --print-all-matched --print-no-missed --print-no-ignored

So my question is: how to catch these encoded urls? Or maybe there is a way to prevent browsing any encoded urls at all by returning a 404 error instead?

My aim is to increase the security of my server by adding a fail2ban rule for hacking attempts pointing to some specific dirs.

Thanks

Improve this question

1 Answer 1

Reset to default
1

The only way to do this with any degree of resolution is to parse the URL, normalize it then write it back to a secondary log and monitor that. (This was what I did with log4J when the attack was embedded in the query).

sudo fail2ban-regex -vvv '1.1.1.1 /%69%6E%64%65%78.%68%74%6D%6C'

But if you take this approach implementing all your ban rules, you are going to have a LOT of fail2ban rules.

Rather than scraping the access_log directly, you might consider implementing a 404 handler with some smarts to normalize the URL / write to secondary log.

But you should be able to determine if any your paths require URL encoding, and setup a rule specifically for % in the path part, something like....

failregex = ^.*&quot;(GET|POST|HEAD) [^\?&]+%.* [0-9].*$

(not tested)

Improve this answer
3
  • thanks for your response, but I disagree on "the only way to do this" This is for true the only way? Commented Apr 16 at 6:30
  • No, you could re-write fail2ban to resolve URL encoding in strings, but that's probably not a practical solution. Commented Apr 16 at 8:51
  • why the &quot; in the regex? Commented Apr 18 at 6:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.