Score:0

Editing fail2ban apache-noscript config to add "AH10244: invalid URI path"

co flag
dan

I have the following (default) /etc/fail2ban/filter.d/apache-noscript.conf configuration file:

[Definition]

script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)

prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:does not exist|not found or unable to stat): <script>\b
            ^'<script>\S*' not found or unable to stat
            ^error '[Pp]rimary script unknown(?:\\n)?'

I noticed the following error didn't trigger the jail:

 AH10244: invalid URI path (/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts)

I think this should belong to the apache-noscript jail... from my understanding, I need to adjust both the prefregex and the failregex? I don't think AH10244 match (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?, but I don't fully understand why is prefregex needed at all even after reading the official doc.

Any help to get me started would be appreciated.

Score:0
co flag
dan

Not extremely elegant but I was able to make it working...

[Definition]

script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)

prefregex = ^%(_apache_error_client)s ((?:(?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) ))|(?:AH10244: ))<F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:does not exist|not found or unable to stat): <script>\b
            ^'<script>\S*' not found or unable to stat
            ^error '[Pp]rimary script unknown(?:\\n)?'
            ^invalid URI path

Basically, I kept much of the original prefregex as-is but I added an OR clause with (?:AH10244: ) to hit the AH10244 error I'm looking for. Then, I just added an additional failregex at the end with ^invalid URI path.

This is tested with Apache 2.4 exclusively and won't work with every setup. Also, to test whether it's working or not, we can use fail2ban-regex -v with the logfile and the configuration file:

fail2ban-regex -v /var/log/apache2/errors.log /etc/fail2ban/filter.d/apache-noscript.conf
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.