Meguntam, hogy idióta botok állandóan próbálnak bejutni wordpress, joomla, és más weboldalakra tömeges próbálkozással. A problémát jó barátom, Fail2ban segít megoldani.

Már jó ideje aktuális volt a probléma, hiszen a népszerű keretrendszereket folyamatos támadások érik és üzemeltetőként meg kell mondjam, rengeteg problémát is okoznak. Főleg a bővítményeken keresztüli feltörések, ebben egyébként a wordpress vezet.

De maradjunk az eredeti témánál: a webszerver access logjait nézegetve felfedezhettem egy csomó próbálkozást, ilyesmiket:

 

Joomla admin-belépés próbálkozás:

www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:35 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:35 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:36 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:36 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:36 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:37 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:37 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:38 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:38 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:39 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:40 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:40 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:40 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:41 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:41 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:42 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:42 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:43 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:43 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:44 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:44 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:44 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:45 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:45 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:46 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:46 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:10:25:47 +0200] 200 "POST /administrator/index.php HTTP/1.1" 4636 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)" "-"
www.********.hu 177.92.55.217 - - [10/Aug/2014:1025:47 +0200] 303 "POST /administrator/index.php HTTP/1.1" 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.

 

Ez pedig egy wordpress admin-belépés próbálkozás:

www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:24 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:25 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:25 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:26 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:26 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:27 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:27 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:28 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:28 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:29 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:29 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:30 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:30 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:31 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:32 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:32 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:33 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:33 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:34 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:34 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:35 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:35 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:36 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:36 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:37 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:37 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:38 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:38 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:39 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:39 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:40 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:41 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:41 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"
www.********.hu 173.214.168.53 - - [10/Aug/2014:14:44:42 +0200] 200 "POST /wp-login.php HTTP/1.0" 4364 "-" "-" "-"

 

A kimásolt logrészek egyébként az nginx access logjából valók, mely a webszerveren első vonalas harcosként fogadja a 80-as portra érkező kéréseket. Korábban már szükség volt rá, hogy csináljak diagnosztikai célra egy másik logformátumot is, ez így néz ki (az esetleges felhasználás miatt teljes részletességgel leírom, mit hogyan csináltam):

www.********.hu    [173.214.168.53]        200     -       [10/Aug/2014:14:44:32 +0200] "POST /wp-login.php HTTP/1.0" -
www.********.hu    [173.214.168.53]        200     -       [10/Aug/2014:14:44:33 +0200] "POST /wp-login.php HTTP/1.0" -
www.********.hu    [173.214.168.53]        200     -       [10/Aug/2014:14:44:33 +0200] "POST /wp-login.php HTTP/1.0" -
www.********.hu    [173.214.168.53]        200     -       [10/Aug/2014:14:44:34 +0200] "POST /wp-login.php HTTP/1.0" -
www.********.hu    [173.214.168.53]        200     -       [10/Aug/2014:14:44:34 +0200] "POST /wp-login.php HTTP/1.0" -
www.********.hu    [173.214.168.53]        200     -       [10/Aug/2014:14:44:35 +0200] "POST /wp-login.php HTTP/1.0" -

Rendben. Ezt kellene valahogy megfognunk fail2ban-nal. Ha megnézzük, azt láthatjuk, hogy igen rövid idő alatt zúdulnak be a kérések, ami nagyon jó, mert kirívó. Mielőtt a fail2ban felé indulnánk, a legutóbbi log előállításához szükséges nginx konfigrészlet az /etc/nginx/nginx.conf-ban:

log_format watcher '$host\t[$remote_addr]\t$status\t$http_user_agent\t[$time_local] "$request" $http_x_forwarded_for';
access_log /var/log/nginx/watch.log watcher;

Ez nekem a http {} contextben van megadva egyébként, ott ahol a globális beállítások vannak.

 

És akkor fail2ban. Írtam egy php-post.conf regexet (/etc/fail2ban/filter.d/php-post.conf):

[Definition]
failregex = ^.*\t\[<HOST>\].*POST.*(wp-login|/administrator/index.php)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Oké, és akkor az ehhez tartozó jail.conf rész (csillagozott IP helyén természetesen valós IP van, ami a szerveré, nehogy bármi miatt magát is tiltsa, ámbár ilyen nem történhet 🙂 )

[php-post]
enabled = true
port    = http,https
filter  = php-post
logpath = /var/log/nginx/watch.log
findTime = 30
maxretry = 60
banTime = 3600
ignoreip = *.*.*.* 127.0.0.1

 

A végeredmény pedig ez, látható, hogy működik:

Hi,

The IP 173.214.168.53 has just been banned by Fail2Ban after
60 attempts against php-post.

Here are more information about 173.214.168.53:
...

A fail2ban jail értékeit persze főleg tapasztalati úton lehet megadni, itt a 30 másodpercen belüli 60 próbálkozás jónak bizonyult, és megfogott már 2-3 IP-t péntek hajnal óta. 🙂

Jó szórakozást, ha kérdés lenne, szívesen válaszolok!

0.00 avg. rating (0% score) - 0 votes

Leave a comment

Az e-mail címet nem tesszük közzé. A kötelező mezőket * karakterrel jelöltük