Vhost default apache2

Support Debian
#1

Bonjour tous,
suite à mes déboire avec le mod-evasive qui a besoin d’avoir default enable.
mod-evasive-ne-fonctionne-pas-t39003.html

Je me pose la question de son utilité et des risques encourues lors qu’il est actif et qu’il pointe par défaut sur /var/www ?

#2

Bon je me répond à moi-même si ça peut servir à d’autre.

[Tue Oct 02 20:36:44 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/muieblackcat [Tue Oct 02 20:36:45 2012] [error] [client 58.17.30.43] script '/var/www/default/index.php' not found or unable to stat [Tue Oct 02 20:36:46 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/admin [Tue Oct 02 20:36:47 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/admin [Tue Oct 02 20:36:47 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/admin [Tue Oct 02 20:36:48 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/db [Tue Oct 02 20:36:49 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/dbadmin [Tue Oct 02 20:36:50 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/myadmin [Tue Oct 02 20:36:51 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/mysql [Tue Oct 02 20:36:51 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/mysqladmin [Tue Oct 02 20:36:52 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/typo3 [Tue Oct 02 20:36:53 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpadmin [Tue Oct 02 20:36:54 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin [Tue Oct 02 20:36:55 2012] [error] [client 58.17.30.43] client denied by server configuration: /usr/share/phpmyadmin/index.php [Tue Oct 02 20:36:56 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpmyadmin1 [Tue Oct 02 20:36:56 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpmyadmin2 [Tue Oct 02 20:36:57 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/pma [Tue Oct 02 20:36:58 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/web [Tue Oct 02 20:36:59 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/xampp [Tue Oct 02 20:37:00 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/web [Tue Oct 02 20:37:00 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/php-my-admin [Tue Oct 02 20:37:01 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/websql [Tue Oct 02 20:37:02 2012] [error] [client 58.17.30.43] client denied by server configuration: /usr/share/phpmyadmin/index.php [Tue Oct 02 20:37:03 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin [Tue Oct 02 20:37:04 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2 [Tue Oct 02 20:37:04 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/php-my-admin [Tue Oct 02 20:37:05 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.2.3 [Tue Oct 02 20:37:06 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.2.6 [Tue Oct 02 20:37:07 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.1 [Tue Oct 02 20:37:08 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.4 [Tue Oct 02 20:37:08 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.5-rc1 [Tue Oct 02 20:37:09 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.5-rc2 [Tue Oct 02 20:37:10 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.5 [Tue Oct 02 20:37:11 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.5-pl1 [Tue Oct 02 20:37:12 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.6-rc1 [Tue Oct 02 20:37:12 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.6-rc2 [Tue Oct 02 20:37:13 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.6 [Tue Oct 02 20:37:14 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.7 [Tue Oct 02 20:37:15 2012] [error] [client 58.17.30.43] File does not exist: /var/www/default/phpMyAdmin-2.5.7-pl1 [Wed Oct 03 06:02:38 2012] [error] [client 71.170.171.179] File does not exist: /var/www/default/manager [Wed Oct 03 06:15:17 2012] [error] [client 219.94.244.73] File does not exist: /var/www/default/w00tw00t.at.blackhats.romania$ [Wed Oct 03 06:15:17 2012] [error] [client 219.94.244.73] File does not exist: /var/www/default/phpMyAdmin [Wed Oct 03 06:15:18 2012] [error] [client 219.94.244.73] File does not exist: /var/www/default/pma [Wed Oct 03 06:15:19 2012] [error] [client 219.94.244.73] File does not exist: /var/www/default/myadmin [Wed Oct 03 06:15:20 2012] [error] [client 219.94.244.73] File does not exist: /var/www/default/MyAdmin [Wed Oct 03 23:45:54 2012] [error] [client 81.22.255.83] File does not exist: /var/www/default/my-http-headers [Fri Oct 05 04:21:01 2012] [error] [client 211.152.34.100] File does not exist: /var/www/default/user
Mais comment peuvent-ils essayer comme ça sur quel nom de domaine ou mon ip ?

#3

Je penche pour des plages d’IP.

Je vois régulièrement passer des tentatives comme ca. Il y a également des tentatives avec judge.php ou avec proxy dans l’url.

Pour le moment, les seuls que je sais bloquer sont celles liés à DFIND et ses requetes mal formées. Pour les autres, ne n’ai pas trouvé de solution avec fail2ban.

#4

Salut,

Pour remédier à cela, je me suis conçu un filtre fail2ban, que j’améliore au grès des logs et du temps. 8)

Ce filtre est basé essentiellement sur le fichier access.log et non pas sur error.log!

[code] ~ # cat /etc/fail2ban/jail.conf


[apache-anti-scripts]

enabled = true
filter = apache-anti-scripts
action = iptables[name=apache-anti-scripts,port=80,protocol=tcp]
logpath = /var/log/apache2/access.log*
bantime = 31536000
findtime = 31536000
maxretry = 1


[/code]

[code]cat /etc/fail2ban/filter.d/apache-anti-scripts.conf

Fail2Ban configuration file

Author: loreleil

jm@xxxxxxxxx

$Revision$ 059

le 03/10/2012

[Definition]

Option: failregex

Notes.: regex to match the w00tw00t scan messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching.

Values: TEXT

failregex = ^ -."GET .(scripts|admin|mysql|dbadmin|help|utilities|myadmin|db|dbadmin|myadmin|mysqlAdmin|typo3|cms|tools|phpldap|phpldapadmin|phpadmin|phpMyAdmin).".
^ -."GET .(phpMyAdmin-2.|phpmyadmin|phpmyadmin1|ldap|htdocs|pma|p|m|a|PMA2005|pma2005|PMA2009|PMA3|SSLMySQLAdmin|3rdparty|81|backup|bbs|bkup|blog).".*
^ -."GET .(cpadmin|cpadmindb|cpanelmysql|cpanelphpmyadmin|data|mydatadmin|mysqladminconfig|pHpMy|wp-phpmyadmin|wp-admin|log|fwkfor|wp-content).".
^ -."GET .(wp-includes|web|xampp|php-my-admin|phpMyAdmin-2.|phpmanager|php-myadmin|webadmin|websql|webdb|mysql-admin|vhcs2|AUTHORS|calendar|webcal).".*
^ -."GET .(cal|muieblackcat|liveT|liveE|liveM|wordpress|spywall|jmx-console|program|mail|email|ip|joomla|spip|phpvirtualbox|vbox).".
^ -."HEAD .(scripts|admin|db|dbadmin|myadmin|mysql|typo3|phpadmin|phpMyAdmin|phpmyadmin|phpmyadmin1|pma|web|xampp|php-my-admin|phpMyAdmin-2.).".*
^ -."HEAD .(phpmanager|php-myadmin|webadmin|websql|webdb|mysql-admin|manager|liveT|fckeditor|FCKeditor|log).".
^ -."HEAD .(mysql|phpmyadmin2|MyAdmin|db|phpMyAdmin-2.|administrator|phpMyAdmin-2|php-my-admin|phpMyAdmin-2.|dawdwadwaad|web-console|manager).".
^ -."HEAD .(liveT|liveE|liveM|wordpress|Artexia).".

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex = [/code]

Attention à ne laisser aucun espace, pour toutes les regex et filtres créer!

* edit *

Pour sans convaincre … :whistle:

~ # fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-anti-scripts.conf

heeu ceci dit, je le collerai sur T&A . ^¿^ . :wink:

#5

lu vous deux,
j’ai activé apache-noscript depuis un moment dans fail2ban, mais visiblement le regex ne prend pas en compte :

failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$ [[]client <HOST>[]] File does not exist: .* [[]client <HOST>[]] script '/var/www/*.php' not found or unable to stat

apache-nohome aussi :

failregex = [[]client <HOST>[]] File does not exist: .*/~.* [[]client <HOST>[]] File does not exist: .*
je vais faire divers test pour l’améliorer.

#6

Tout mon réseau est en DHCP, j’ai vérifié au niveau du routeur avec mon android, le pc apparaît bien et tous les périphériques connectés on une IP différente, aucun conflit d’ip, je viens de poster un cat du fichier interfaces, je n’y ai rien modifié.

#7

Ouvre un fil pour ton problème