123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 |
- # A filter to block random test attacks on my server
- #
- # Matches e.g.
- # put some new matches here
- #
- [Definition]
- bashfragments_generic = \(\) \{ :;\};|\(\) \{ :; \};|\(\) \{.*\};
- bashfragments_2 = /bin/bash -|bash -
- ## Starting with shellshock
- failregex = ^<HOST> -.* "(?:%(bashfragments_generic)s)|(?:%(bashfragments_2)s)
- ## Admin attacks
- ^<HOST> -.* "(POST|HEAD|GET) /administrator/
- ^<HOST> -.* "(POST|HEAD|GET) .*/administrator/
- ^<HOST> -.* "(POST|HEAD|GET) /admin/
- ^<HOST> -.* "(POST|HEAD|GET) .*/admin/
- ^<HOST> -.* "(POST|HEAD|GET) /manager/
- ^<HOST> -.* "(POST|HEAD|GET) /dbadmin/
- ^<HOST> -.* "(POST|HEAD|GET) /pma
- ^<HOST> -.* "(POST|HEAD|GET) /phpMyAdmin/
- ^<HOST> -.* "(POST|HEAD|GET) /phpmyadmin
- ## wordpress attacks
- ^<HOST> -.* "(POST|HEAD|GET) /wordpress/
- ^<HOST> -.* "(POST|HEAD|GET) /wp/
- ^<HOST> -.* "(POST|HEAD|GET) /wp-include/
- ^<HOST> -.* "(POST|HEAD|GET) .*/wp-admin/
- ^<HOST> -.* "(POST|HEAD|GET) .*wp-login.php
- ^<HOST> -.* "(POST|HEAD|GET) /wp-json/
- ## CGI attacks
- ^<HOST> -.* "(POST|HEAD|GET) /cgi-bin/
- ^<HOST> -.* "(POST|HEAD|GET) /cgi-mod/
- ^<HOST> -.* "(POST|HEAD|GET) /cgi-sys/
- ^<HOST> -.* "(POST|HEAD|GET) /sys-cgi/
- ^<HOST> -.* "(POST|HEAD|GET) /cgi-bin.*
- ^<HOST> -.* "(POST|HEAD|GET) /cgi/common.cgi
- ## Generic attacks
- ^<HOST> -.* "(POST|HEAD|GET) .*setup.php
- ^<HOST> -.* "(POST|HEAD|GET) .*login.php
- ^<HOST> -.* "(POST|HEAD|GET) .*admin.php
- ^<HOST> -.* "(POST|HEAD|GET) /login/
- ^<HOST> -.* "(POST|HEAD|GET) /script
- ^<HOST> -.* "(POST|HEAD|GET) /phppath/
- ^<HOST> -.* "(POST|HEAD|GET) .*/install/
- ## File system attacks
- ^<HOST> -.* "(POST|HEAD|GET) /.ssh
- ^<HOST> -.* "(POST|HEAD|GET) /.git
- ^<HOST> -.* "(POST|HEAD|GET) /readme.html
- ^<HOST> -.* "(POST|HEAD|GET) /CHANGELOG.txt
- ^<HOST> -.* "(POST|HEAD|GET) /.env
- ### WTF attacks
- ^<HOST> -.* ""
- ^<HOST> -.* "quit"
- ^<HOST> -.* "test"
- ## This should block binary?
- ^<HOST> -.* "\S*\\x
- ## Blocks odd attempt to redirect?
- ^<HOST> -.* "(POST|HEAD|GET) http.*
- ^<HOST> -.* "SSH-2.0-libssh2_1.7.0"
- ^<HOST> -.* "JDWP-Handshake
- ^<HOST> -.* "SSH-2.0-Go
- ## Unwanted Methods
- ^<HOST> -.* "PROPFIND
- ^<HOST> -.* "CONNECT
- ^<HOST> -.* "PUT
- ^<HOST> -.* "OPTIONS
- ## Bad Redirects
- ## https? makes 's' optional, ending /? makes trailing slash optional
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://.*.ru/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://.*.xrus.org/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://avtoguru.pro/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://narosty.com/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://azartmix.com/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://kinoflux.net/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://souvenir.cc/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://meds-online24.com/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://mylida.org/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://dokfilms.net/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://chcu.net/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://surgut.xrus.org/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://xn--b1ag5cfn.xn--p1ai/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://www.avtolombard-krasnodar.com/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://bonkers.name/?"
- ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://.*.ua/?"
- #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"
- #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"
- #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"
- #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"
- ## Misc attacks I havelogged
- ^<HOST> -.* "(POST|HEAD|GET) /tmUnblock.cgi
- ^<HOST> -.* "(POST|HEAD|GET) /muieblackcat
- ^<HOST> -.* "(POST|HEAD|GET) /themes/elastixneo/ie.css
- ^<HOST> -.* "(POST|HEAD|GET) /docs/funcspecs/3.jsp
- ^<HOST> -.* "(POST|HEAD|GET) /a2billing/
- ^<HOST> -.* "(POST|HEAD|GET) /user/soapCaller.bs
- ^<HOST> -.* "(POST|HEAD|GET) /w00tw00t.*
- ^<HOST> -.* "(POST|HEAD|GET) /HNAP1/
- ^<HOST> -.* "(POST|HEAD|GET) /rom-0
- ^<HOST> -.* "(POST|HEAD|GET) /hndUnblock.cgi
- ^<HOST> -.* "(POST|HEAD|GET) /checkout/
- ^<HOST> -.* "(POST|HEAD|GET) /Ringing.at.your.dorbell
- ^<HOST> -.* "(POST|HEAD|GET) /_asterisk
- ^<HOST> -.* "(POST|HEAD|GET) /server-status
- ^<HOST> -.* "(POST|HEAD|GET) /language/Swedish*/string.js
- ^<HOST> -.* "(POST|HEAD|GET) /../../../../../../../mnt/mtd/vBj5
- ^<HOST> -.* "(POST|HEAD|GET) //console/j_security_check
- ^<HOST> -.* "(POST|HEAD|GET) /xmlrpc.php
- ## Disabled due to ttrss and unsanitized rss?
- #^<HOST> -.* "(POST|HEAD|GET) /imgs/*
- ^<HOST> -.* "(POST|HEAD|GET) /tag/ HTTP
- ^<HOST> -.* "(POST|HEAD|GET) /invoker/EJBInvokerServlet
- ^<HOST> -.* "(POST|HEAD|GET) /stssys.htm
- ^<HOST> -.* "(POST|HEAD|GET) .*/elfinder.html
- ^<HOST> -.* "(POST|HEAD|GET) /web-console
- ^<HOST> -.* "(POST|HEAD|GET) /jmx-console
- ^<HOST> -.* "(POST|HEAD|GET) /invoker/JMXInvokerServlet
- ^<HOST> -.* "(POST|HEAD|GET) /x HTTP
- ^<HOST> -.* "(POST|HEAD|GET) /jenkins/script
- ^<HOST> -.* "(POST|HEAD|GET) /RemoteControl.html
- ^<HOST> -.* "(POST|HEAD|GET) /www/start.html
- ^<HOST> -.* "(POST|HEAD|GET) /Http/DataLayCfg.xml
- ^<HOST> -.* "(POST|HEAD|GET) /current_config/
- ^<HOST> -.* "(POST|HEAD|GET) /struts2-showcase/
- ^<HOST> -.* "(POST|HEAD|GET) /pmd
- ^<HOST> -.* "(POST|HEAD|GET) /recordings/
- ^<HOST> -.* "(POST|HEAD|GET) /logo_img.php.suspected
- ^<HOST> -.* "(POST|HEAD|GET) /webdav
- ^<HOST> -.* "(POST|HEAD|GET) /sftp-config.json
- ^<HOST> -.* "(POST|HEAD|GET) /ccvv
- ^<HOST> -.* "(POST|HEAD|GET) /xxbb
- ## Blocks after requests with null useragent.
- ^<HOST> -.* "(POST|HEAD|GET).*"-"$
- ^<HOST> -.* "(POST|HEAD|GET) /cfg/000000000000.cfg
- ^<HOST> -.* "(POST|HEAD|GET) /RPC2
- ## Blocks after request with useragent set to literal "null"
- ^<HOST> -.* "(POST|HEAD|GET).*"null"$
- ^<HOST> -.* "(POST|HEAD|GET) /KlfhsYYs
- ^<HOST> -.* "(POST|HEAD|GET) /static/UI_win7/js/login.js
- ## Blocks attacks sending characters used for shell commands
- ^<HOST> -.* "(POST|HEAD|GET) .*(%%21|%%22|%%23|%%24|%%25|%%26|%%27|%%28|%%29|%%2A|%%2C|%%3B|%%5B|%%5C|%%5D|%%60)
- ^<HOST> -.* "(POST|HEAD|GET) /nogFoot
- ^<HOST> -.* "(POST|HEAD|GET) /nogHead
- ^<HOST> -.* "(POST|HEAD|GET) /user/register
- ^<HOST> -.* "(POST|HEAD|GET) /rss.php\?mode=recent
- ^<HOST> -.* "(POST|HEAD|GET) /wls-wsat/CoordinatorPortType
- ^<HOST> -.* "(POST|HEAD|GET) /stalker_portal
- #^<HOST> -.* "(POST|HEAD|GET)
- #^<HOST> -.* "(POST|HEAD|GET)
- #^<HOST> -.* "(POST|HEAD|GET)
- #^<HOST> -.* "(POST|HEAD|GET)
- #^<HOST> -.* "(POST|HEAD|GET)
- #^<HOST> -.* "(POST|HEAD|GET)
- #^<HOST> -.* "(POST|HEAD|GET)
- #ignoreregex = ^<HOST> -.* "(POST|HEAD|GET) /.*
- ignoreregex = ^<HOST> -.* "(POST|HEAD|GET) /.well-known/openpgpkey
|