Задача: защитить веб-сервер Apache2 от атак слепого перебора багов возможной CMS сайта типа такого:
surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /install.php?phpbb_root_di r=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"<br /> surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /mantis/login_page.php?g_meta_inc _dir=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"<br /> surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /page.php?template=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"<br /> surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /phorum/admin/actions/del.php?include_path=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"<br /> surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /pollensondage.inc.php?app _path=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"<br /> surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:40 +0000] "GET /joomla/index.php?option=com_sbsfile&amp;controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_rokdownloads&amp;controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_sectionex&amp;controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_ganalytics&amp;controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_janews&amp;controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_linkr&amp;controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "&lt;?php system(\"id\"); ?&gt;"
Решение: использовать opensource фильтр-монитор атак Fail2ban для различных сервисов (vsftp, ssh, Apache и пр.). Для этого:
- Создаем файл /etc/fail2ban/filter.d/apache-404.conf
- Вписываем в него следующее:
[Definition] failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ " ignoreregex = favicon\.ico
- В файл /etc/fail2ban/jail.local добавляем:
[apache-404] enabled = true port = http,https filter = apache-404 logpath = /var/log/apache*/*access.log bantime = 3600 findtime = 600 maxretry = 5
- Перезагружаем fail2ban командой в консоли:
/etc/init.d/fail2ban restart
Просмотров: 1739
спасибо!