Fail2Ban.WebExploits

This custom Fail2Ban filter and jail will deal with all scans for common Wordpress, Joomla, Drupal and other Web Exploits being scanned for by automated bots and those seeking to find exploitable web sites.

Version: V0.1.27

Total Exploits: 286

• Skill Level: Advanced

:exclamation: CAUTION :exclamation: Be sure you know why you are going to use this filter before simply deploying it :exclamation:

I hold no responsibility for any problems this may cause you. You need to have a thorough understanding of Fail2Ban especially whitelisting. You also need to make sure that if you have ANY of the plugins, templates, folders or files shown in these exploit scan signatures then make sure you stop using such plugins or themes and rename any folders or files to something more suitable. You could very easily block out yourself or your own users. Please take caution with this filter.

How To Use This Filter

1 - Copy the webexploits.conf file from the repository to your server

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban.WebExploits/master/webexploits.conf -O /etc/fail2ban/filter.d/webexploits.conf

2 - Create the Jail Config in your jail.local file

sudo nano /etc/fail2ban/jail.local

Paste the contents below into your jail.local file

For NGINX

[webexploits]
enabled  = true
port     = http,https
filter   = webexploits
logpath = %(nginx_access_log)s
maxretry = 3

For APACHE

[webexploits]
enabled  = true
port     = http,https
filter   = webexploits
logpath = %(apache_access_log)s
maxretry = 3

3 - Test the filter against some of your log files

fail2ban-regex /var/log/nginx/myweb-access.log /etc/fail2ban/filter.d/webexploits.conf

You will see output something like this

Running tests
=============

Use   failregex filter file : webexploits, basedir: /etc/fail2ban
Use         log file : /var/log/nginx/mitchellkrog.com-REDIRECTS-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 391 total
|-  #) [# of hits] regular expression
|   1) [105] ^<HOST> -.*GET.*(/.git/config)
|   3) [16] ^<HOST> -.*GET.*(/administrator/index.php)
|   4) [2] ^<HOST> -.*GET.*(/administrator/manifests/files/joomla.xml)
|   6) [6] ^<HOST> -.*GET.*(/ckupload.php)
|   8) [5] ^<HOST> -.*GET.*(/components/com_adsmanager/js/fullnoconflict.js)
....
....
....
|  68) [9] ^<HOST> -.*GET.*(/wp-content/plugins/wysija-newsletters/readme.txt)
|  69) [1] ^<HOST> -.*GET.*(/wp-content/themes/deep-blue/megaframe/megapanel/inc/functions.php)
|  70) [4] ^<HOST> -.*GET.*(/wp-content/themes/u-design/style.css)
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [4262] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 4262 lines, 0 ignored, 391 matched, 3871 missed [processed in 2.50 sec] 
Missed line(s): too many to print.  Use --print-all-missed to print all 3871 lines

This confirms the webexploits.conf file is detecting hits in your logs for the exploits it covers.

4 - Restart the fail2Ban Service

sudo service fail2ban stop && sudo service fail2ban start

5 - Monitor your email for new notifications that this filter will now be sending.

6 - Stay up to date

As new threats and vulnerable plugins and themes are detected all the time this filter is constantly updated so it's a good idea to keep a regular check here for new updates.

7 - Consider Perma-Banning

Have a look at the Fail2Ban Blacklist JAIL for Repeat Offenders which enables perma-banning on Fail2Ban for Repeat Offenders,

A list of BAD IP's is available from here which is generated using this Perma-Ban filter and used within the awesome Ultimate Hosts Blacklist.

If This This Project helped you out, help support it

SOME OTHER AWESOME FREE PROJECTS

• https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
• https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker
• https://github.com/mitchellkrogza/Badd-Boyz-Hosts
• https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist
• https://github.com/mitchellkrogza/Stop.Google.Analytics.Ghost.Spam.HOWTO
• https://github.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites
• https://github.com/mitchellkrogza/fail2ban-useful-scripts
• https://github.com/mitchellkrogza/linux-server-administration-scripts
• https://github.com/mitchellkrogza/Travis-CI-Nginx-for-Testing-Nginx-Configuration
• https://github.com/mitchellkrogza/Travis-CI-for-Apache-For-Testing-Apache-and-PHP-Configurations
• https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning
• https://github.com/funilrys/PyFunceble
• https://github.com/funilrys/dead-hosts
• https://github.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites
• https://github.com/mitchellkrogza/Suspicious.Snooping.Sniffing.Hacking.IP.Addresses

INTO PHOTOGRAPHY?

Come drop by and visit me at mitchellkrog.com or Facebook or Follow Me on Twitter

MIT License

Copyright (c) 2017 Mitchell Krog - [email protected]

https://github.com/mitchellkrogza

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.