-1

I get many attacks on my debian apache server that include URL-manipulations like 

http://url_on_my_eserver/?username=/etc/passwd

How can I block these attacks?

rubo77
  • 2,350
  • 10
  • 26
  • 48

1 Answers1

1

Fail2Ban should never be your first line of defense, after properly handling the input you can utilize Fail2Ban by using a failregex like this

failregex = ^<HOST> -.*GET.*\/etc\/passwd

Another commonly used filter to block the PHP File Injection/Inclusion attacks

[php-url-fopen]

enabled = true
port    = http,https
filter  = php-url-fopen
logpath = [YOUR_ACCESS_LOG_PATH]
maxretry = 1

You can include that in your jail.conf

Update: As a response to your comment, you can use multiple lines in logpath, for example:

logpath = /somepath/*wild/log
          /some/other/path/log
Adi
  • 43,808
  • 16
  • 135
  • 167
  • thanks, I added this to my `/etc/fail2ban/filter.d/php-url-fopen.conf`: `failregex = ^ -.*"(GET|POST).*\?.*\=\/(etc|proc)\/.* HTTP\/.*$` – rubo77 Dec 17 '12 at 15:56
  • I use `logpath = /var/kunden/logs/*access.log` but how can I add another path too? I also have logs in `/var/log/apache2/*access.log` – rubo77 Dec 17 '12 at 16:02
  • 1
    @rubo77, I've updated the answer for you – Adi Dec 17 '12 at 16:09
  • could it be, that too many logfiles in the apachelog will slow the server down, if you use fail2ban filters? (at my server over 250 differing logfiles, one for each customer) – rubo77 Dec 18 '12 at 06:44