Last-modified: 2014-10-16 (木) 02:12:34
スクリプト/nginx-shellshock.conf

概要

fail2banのNginx Shellshock用フィルタです。

フィルタ対象フォーマット

Everything is expanded.Everything is shortened.
  1

 

[27/Sep/2014:23:46:16 +0900],401,-,0.000,188,118.192.48.6,"GET /cgi-bin/count.cgi HTTP/1.1","() { :; }; echo Mozilla: `echo kUOm4N0953`;"

/etc/fail2ban/filter.d/nginx-shellshock.conf

Everything is expanded.Everything is shortened.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26

-
|
|
|
|
|
!
 
 
-
|
!
 
 
 
 
-
|
|
!
 
 
 
 
 
 

# Fail2Ban configuration file
#
# Author: paburica
#
# $Revision$
#
 
[INCLUDES]
 
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
 
 
[Definition]
 
# Option:  failregex
# Values:  TEXT
#
failregex = ^\[.*\],.+?,.+?,.+?,.+?,<HOST>,.+?,".*?\(.*?\).*?{.*$
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

その他

  1. /etc/fail2ban/jail.local例
    Everything is expanded.Everything is shortened.
      1
  2
  3
  4
  5
  6
  7
  8

    -
!
 
 
 
 
 
 

    # Nginx ShellShockをチェック
[nginx-shellshock]
enabled  = true
filter   = nginx-shellshock
logpath  = /opt/nginx/log/*/access.log
port     = http,https
bantime  = 3600
maxretry = 1
  2. 反映
    Everything is expanded.Everything is shortened.
      1
  2
  3
  4

    -
!
-
!

    # 確認
fail2ban-regex <対象ログパス> /etc/fail2ban/filter.d/nginx-shellshock.conf
# 反映
service fail2ban restart

検証時の環境