Please enable JavaScript to view this site.
Fail2Ban - Block SQL Injection Attacks
Apache mod_cache provides a nice activity log as described in the following post: Website Acceleration - Apache Caching.
Note: I already have a hacker.conf file for blocking IP addresses that generate certain Apache errors: Protect Your Website with Fail2Ban When reviewing the log, I saw the signature of an attempted SQL injection. So I then wrote a simple script to scan the cache file, look for SQL injection attacks, and block the attacker.
The following is the contents of the new hacker2.conf file:
# Fail2Ban simple filter to block SQL injection attacks
[Definition]
resources = %%28|%%29|%%3C|%%3E|%%5B|%%5D|%%5E|%%7B|%%7D|%%2e%%2e|**|///|%%C3|[|]|<|>
failregex = ^.*(HEAD|GET|POST) /.*(%(resources)s).*$
ignoreregex = do_not_check_this_page.php
datepattern = {^LN-BEG}
Then go to /etc/fail2ban/jail.local and enter the following jail - It is set up to ban their IP address permanently after one attempt:
[hacker2]
enabled = true
port = http,https
filter = hacker2
logpath = /var/log/apache2/cache.log
maxretry = 1
bantime = -1
Reload fail2ban:
You can check the status of the hacker2 jail by running this command:
You can obtain additional information on the queries that triggered a hit by running this second command:
I found the following match from IP address 185.164.121.186:
Per URL Decoder, this translates to:
An entry at Stackoverflow explains the purpose of the attack.
As a final note, you can pull up a list of all jailed IP addresses by running the following command:
sudo nano /etc/fail2ban/filter.d/hacker2.conf
Note: I already have a hacker.conf file for blocking IP addresses that generate certain Apache errors: Protect Your Website with Fail2Ban When reviewing the log, I saw the signature of an attempted SQL injection. So I then wrote a simple script to scan the cache file, look for SQL injection attacks, and block the attacker.
The following is the contents of the new hacker2.conf file:
Then go to /etc/fail2ban/jail.local and enter the following jail - It is set up to ban their IP address permanently after one attempt:
Reload fail2ban:
sudo fail2ban-client reload
You can check the status of the hacker2 jail by running this command:
sudo fail2ban-client status hacker2
You can obtain additional information on the queries that triggered a hit by running this second command:
sudo fail2ban-regex '/var/log/apache2/cache.log' /etc/fail2ban/filter.d/hacker2.conf --print-all-matched
I found the following match from IP address 185.164.121.186:
/entries.php?thread_id=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO))
Per URL Decoder, this translates to:
/entries.php?thread_id='nvOpzp; AND 1=1 OR (<''>iKO))
An entry at Stackoverflow explains the purpose of the attack.
As a final note, you can pull up a list of all jailed IP addresses by running the following command:
sudo iptables -L --line-numbers
* posted by Robert on Fri, Sep 02, 2022
Site built and hosted by RJdesign.one