This custom Fail2Ban filter and jail will deal with all scans for common Wordpress, Joomla, Drupal and other Web Exploits being scanned for by automated bots and those seeking to find exploitable web sites.
- Skill Level: Advanced
❗ CAUTION ❗ Be sure you know why you are going to use this filter before simply deploying it ❗
I hold no responsibility for any problems this may cause you. You need to have a thorough understanding of Fail2Ban especially whitelisting. You also need to make sure that if you have ANY of the plugins, templates, folders or files shown in these exploit scan signatures then make sure you stop using such plugins or themes and rename any folders or files to something more suitable. You could very easily block out yourself or your own users. Please take caution with this filter.
sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban.WebExploits/master/webexploits.conf -O /etc/fail2ban/filter.d/webexploits.conf
sudo nano /etc/fail2ban/jail.local
Paste the contents below into your jail.local file
For NGINX
[webexploits]
enabled = true
port = http,https
filter = webexploits
logpath = %(nginx_access_log)s
maxretry = 3
For APACHE
[webexploits]
enabled = true
port = http,https
filter = webexploits
logpath = %(apache_access_log)s
maxretry = 3
fail2ban-regex /var/log/nginx/myweb-access.log /etc/fail2ban/filter.d/webexploits.conf
You will see output something like this
Running tests
=============
Use failregex filter file : webexploits, basedir: /etc/fail2ban
Use log file : /var/log/nginx/mitchellkrog.com-REDIRECTS-access.log
Use encoding : UTF-8
Results
=======
Failregex: 391 total
|- #) [# of hits] regular expression
| 1) [105] ^<HOST> -.*GET.*(/.git/config)
| 3) [16] ^<HOST> -.*GET.*(/administrator/index.php)
| 4) [2] ^<HOST> -.*GET.*(/administrator/manifests/files/joomla.xml)
| 6) [6] ^<HOST> -.*GET.*(/ckupload.php)
| 8) [5] ^<HOST> -.*GET.*(/components/com_adsmanager/js/fullnoconflict.js)
....
....
....
| 68) [9] ^<HOST> -.*GET.*(/wp-content/plugins/wysija-newsletters/readme.txt)
| 69) [1] ^<HOST> -.*GET.*(/wp-content/themes/deep-blue/megaframe/megapanel/inc/functions.php)
| 70) [4] ^<HOST> -.*GET.*(/wp-content/themes/u-design/style.css)
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [4262] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 4262 lines, 0 ignored, 391 matched, 3871 missed [processed in 2.50 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 3871 lines
This confirms the webexploits.conf file is detecting hits in your logs for the exploits it covers.
sudo service fail2ban stop && sudo service fail2ban start
As new threats and vulnerable plugins and themes are detected all the time this filter is constantly updated so it's a good idea to keep a regular check here for new updates.
Have a look at the Fail2Ban Blacklist JAIL for Repeat Offenders which enables perma-banning on Fail2Ban for Repeat Offenders,
A list of BAD IP's is available from here which is generated using this Perma-Ban filter and used within the awesome Ultimate Hosts Blacklist.
- https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
- https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker
- https://github.com/mitchellkrogza/Badd-Boyz-Hosts
- https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist
- https://github.com/mitchellkrogza/Stop.Google.Analytics.Ghost.Spam.HOWTO
- https://github.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites
- https://github.com/mitchellkrogza/fail2ban-useful-scripts
- https://github.com/mitchellkrogza/linux-server-administration-scripts
- https://github.com/mitchellkrogza/Travis-CI-Nginx-for-Testing-Nginx-Configuration
- https://github.com/mitchellkrogza/Travis-CI-for-Apache-For-Testing-Apache-and-PHP-Configurations
- https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
- https://github.com/funilrys/PyFunceble
- https://github.com/funilrys/dead-hosts
- https://github.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites
- https://github.com/mitchellkrogza/Suspicious.Snooping.Sniffing.Hacking.IP.Addresses
Come drop by and visit me at mitchellkrog.com or Facebook or Follow Me on Twitter
Copyright (c) 2017 Mitchell Krog - [email protected]
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.