WebTracker.one

 
Login
Site Stats
Tools
Whois
Whois
Email Whois
Fingerprint
Logout
Contact
Lost Password
 
Smiley






JavaScript is disabled by your browser. Many features will not work.












Fail2Ban - Block SQL Injection Attacks

Apache mod_cache provides a nice activity log as described in the following post: Website Acceleration - Apache Caching.

When reviewing the log, I saw the signature of an attempted SQL injection. So I then wrote a simple script to scan the cache file, look for SQL injection attacks, and block the attacker.

Create the following file:

sudo nano /etc/fail2ban/filter.d/hacker2.conf

Note: I already have a hacker.conf file for blocking IP addresses that generate certain Apache errors: Protect Your Website with Fail2Ban

The following is the contents of the hacker2.conf file: # Fail2Ban simple filter to block SQL injection attacks [Definition] resources = %%28|%%29|%%3C|%%3E|%%5B|%%5D|%%5E|%%7B|%%7D|%%2e%%2e|\*\*|///|%%C3|[|]|<|> failregex = ^<HOST>.*(POST|GET) /.*(%(resources)s).*$ ignoreregex = do_not_check_this_page.php datepattern = {^LN-BEG}
Then go to /etc/fail2ban/jail.local and enter the following jail - It is set up to ban their IP address permanently after one attempt: [hacker2] enabled = true port = http,https filter = hacker2 logpath = /var/log/apache2/cache.log maxretry = 1 bantime = -1 Reload fail2ban:

sudo fail2ban-client reload

You can check the status of the hacker2 jail by running this command:

sudo fail2ban-client status hacker2

You can obtain additional information on the queries that triggered a hit by running this second command:

sudo fail2ban-regex '/var/log/apache2/cache.log' /etc/fail2ban/filter.d/hacker2.conf --print-all-matched

I found the following match from IP address 185.164.121.186:

/entries.php?thread_id=%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO))

Per URLDecoder.net, this translates to:

/entries.php?thread_id='nvOpzp; AND 1=1 OR (<''>iKO))

An entry at Stackoverflow explains the purpose of the attack.

As a final note, you can pull up a list of all jailed IP addresses by running the following command:

sudo iptables -L --line-numbers

     * posted by Robert on Fri, Sep 02, 2022

Return to Weblog



© 2023 WebTracker.one
 
➤