Apache
Apache HTTP Server is a free software/open source web server for Unix-like systems, Microsoft Windows, Novell NetWare and other operating systems. Apache is notable for playing a key role in the initial growth of the World Wide Web, and continues to be the most popular web server in use, serving as the de facto reference platform against which other web servers are designed and judged.
- [Sun Jan 28 11:55:32 2007] [error] [client 123.123.123.123] user myCoolUser: authentication failure for "/myPasswordedDir": Password Mismatch
- [Tue Apr 10 15:39:26 2007] [error] [client x.x.x.x] Digest: user Username: password mismatch: /
- [Tue Jan 27 15:32:40 2009] [error] [client 192.0.2.1] client denied by server configuration: /var/www/apache2-default/nonexistingpage.html
Failregex
The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.
The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.
Please, before editing this section, propose your changes in the discussion page first.
Authentication failure (doesn't it match to many cases ?):
- [[]client <HOST>[]] user .*(?:: authentication failure|not found|password mismatch)
Forbidden access:
* ^\[[^\]]*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:
PHP
If you don't have PHP service running or do not expect so many 'File does not exist' logging in Apache's error log, for attempts to log into some admin modus as shown below, you can also ban these IPs.
- [Sat Mar 15 03:08:59 2008] [error] [client xyz.246.51.abc] File does not exist: /var/www/blabla/sqladmin/main.php
- [Sat Mar 15 03:08:59 2008] [error] [client xyz.246.51.abc] File does not exist: /var/www/blabla/php/main.php
- [Sat Mar 15 03:08:59 2008] [error] [client xyz.246.51.abc] File does not exist: /var/www/blabla/myadmin/main.php
This can be done by using the following regex in an extra Apache section in fail2ban.conf:
failregex = [[]client (?P<host>\S*)[]] File does not exist: .*\.php
A more comprehensive example for a Apache with PHP on Linux, running PHPBB, but without PHPmyAdmin, cgi, perl:
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PMA2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wbblite|directforum|board23|board2|board3|WBB|WBB2|html|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest|appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
Above example (with minor changes) will catch following:
.*\.asp # added wildcard
.*\.dll # added wildcard
.*\.exe # added wildcard
.*\.pl # added wildcard
admin
Admin
Ads
ads
adserver
apps # new entry
appserver
archive
awstats # new entry
b0ard
bin
blog
blogs
blogtest
board
board2
board23
board3
cgi # new entry
cgi-bin
clan
clan # removed duplicate
cms
community
cube
database
datenbank
directforum
drupal
f0rum
file:
forum
forumv1
forumv2
horde
Horde
horde-3.0.9
horde-3.0.9 # removed duplicate
horde2
horde3
html
mail
mail # removed duplicate
mail2
myadmin
myadmin # removed duplicate
mysql
mysql-admin
mysql-admin # removed duplicate
mysqladmin
mysqladmin # removed duplicate
mysqlmanager
padmin
page
page # removed duplicate
php
php-my-admin
php-my-admin # removed duplicate
phpads
phpAdsNew
phpadsnew
phpkit
phpkit_1.6.1
phpmanager
phpmyadmin
phpMyAdmin-2
phpMyAdmin-2.2.3
phpMyAdmin-2.2.6
phpMyAdmin-2.5.1
phpMyAdmin-2.5.4
phpMyAdmin-2.5.6
phpMyAdmin-2.6.0
phpMyAdmin-2.6.0-pl1
phpMyAdmin-2.6.2-rc1
phpMyAdmin-2.6.3
phpMyAdmin-2.6.3-pl1
phpMyAdmin-2.6.3-rc1
phpmyadmin-old
phpmyadmin2
phpMyAdmin2
phpmyadmin2
phpmyadminold
pma
PMA
PMA2005
pma2005
PMA2006
pma2006
rc
README
rms
round # added "d" at the end
roundcube
roundcube-0.1
roundcube-0.2
roundcubemail
roundcubemail-0.1
roundcubemail-0.2
scgi # new entry
script # new entry
seite
site
sql
sqlmanager
sqlweb
sqlweb
stat # new entry
ucp.php
wbb
WBB
wbb1
wbb2
WBB2
wbb3
wbblite
web
webadmin
webadmin # removed duplicate
webdb
webdb # removed duplicate
webmail
webmail2
websql
websql # removed duplicate
wm
wp-login.php
xmlrpc
xmlsrv
Therefore an optimised regular expresion would look like this:
failregex = \[client <HOST>\] (File does not exist|script not found or unable to stat): .*/(.*\.asp.*\.dll|.*\.exe|.*\.pl|admin|Admin|Ads|ads|apps|archive|awstats|b0ard|bin|blog|board|cgi|clan|cms|community|cube|database|datenbank|directforum|drupal|f0rum|file:|forum|horde|Horde|html|mail|myadmin|mysql|padmin|page|php|pma|PMA|rc|README|rms|round|scgi|script|seite|site|sql|stat|ucp.php|wbb|WBB|web|wm|wp-login.php|xmlrpc|xmlsrv)
To block certain WordPress and other PHP related vulnerabilities, a failregex may be added to one of the apache filters (filter.d/apache-auth.conf for example):
- [[]client <HOST>[]] PHP Notice:.*(Undefined variable: HTTP_.*_VARS in|Use of undefined constant include_path).*
- [[]client <HOST>[]] PHP Deprecated:.*(Function set_magic_quotes_runtime\(\) is deprecated in|Assigning the return value of new by reference is deprecated in).*
Centos
Under CentOS / RedHat Enterprise Linux, httpd (Apache) is not compiled with tcpwrappers support. As a result the example in jail.conf called "apache-tcpwrapper" does not work since /etc/hosts.deny does not affect apache.
