1

I am attempting to ban a specific url in my jail.local configuration. The url is 

Add_Product.php?union+select <-- Lots more follows this

ERROR  NOK: ('Unable to compile regular expression \'^(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w) -.*"(GET|POST).*/Add_Product.php?*union+select\'',)

This url doesn't actually exist. We don't even run this query in our databases.

Here is the rule in my jail.local

[sql-union-select-attack]
enabled = true
filter = sql-union-select-attack
logpath = /var/log/nginx/*access.log
maxretry = 1
findtime = 10
bantime = 60000

Here is the rule in my filter.d/sql-union-select-attack.conf

#The SQL Injection attempt with "union+select+" in the URL     
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*/Add_Product.php?*union+select+0x5e2526
ignoreregex =

Do I have a syntax error in my jail rule? I tried to use this question as a reference since I needed something similar. This attack attempt is bogging down my server.

Thank you.

DevOpsSauce
  • 288
  • 4
  • 13
  • 1
    Did you try plugging it in at [regex101.com](https://regex101.com/r/tvMvdh/1)? It points out the syntax error in your regex. – Michael Hampton Oct 18 '18 at 13:42
  • The error it is showing is "* The preceding token is not quantifiable" – DevOpsSauce Oct 18 '18 at 14:03
  • That's correct, you can't have zero or more of a `?` as that character is also special. It's not clear why you have the `*` there. – Michael Hampton Oct 18 '18 at 14:04
  • I'm trying to capture anything after Add_Product.php? and before union+select. There are id numbers after the php query string, and they're always different. – DevOpsSauce Oct 18 '18 at 14:08
  • Then you probably meant to use `.*` – Michael Hampton Oct 18 '18 at 14:14
  • Yes, I changed it to that, restarted fail2ban, checked my syslog and didn't get the error again. – DevOpsSauce Oct 18 '18 at 14:15
  • Actually, this is not working at all due to the ^ at the beginning. My nginx logs do not have the host at the beginning. It's actually the port number. :( – DevOpsSauce Oct 18 '18 at 16:41
  • If you altered your log format, you should edit your question appropriately. We don't know anything that you don't tell us! – Michael Hampton Oct 18 '18 at 17:21
  • Lucky there is [FILTER document](https://github.com/fail2ban/fail2ban/blob/0.11/FILTERS) that shows you how to not write DoS susceptible filters (like you are) and how to use `fail2ban-regex` to design and test queries. – danblack Dec 02 '18 at 23:39
  • @MichaelHampton I didn't touch the log format. I changed the regex. – DevOpsSauce Dec 03 '18 at 14:23
  • @danblack I will look into the susceptibility of my regex. Thanks for the tip. I also use Regex101.com which is helpful. – DevOpsSauce Dec 03 '18 at 14:27
  • But you said [here](https://serverfault.com/questions/936159/fail2ban-error-with-regular-expression#comment1214618_936159) that you changed the log format! – Michael Hampton Dec 03 '18 at 15:23
  • No. I changed the regex in the filter.d/sql-union-select-attack.conf to include '.*'. I didn't change the log format of the access logs themselves. – DevOpsSauce Dec 03 '18 at 16:02

1 Answers1

1

This fixed my problem. I tested on a VM and it dropped my connection successfully. 

failregex = ^\d{4} <HOST> -.*\"(GET|POST).*Add_Product.php.*union+select
DevOpsSauce
  • 288
  • 4
  • 13