Actions
Feature #16219
open
Security: IPs von Hacking Angriffen sperren - Integration voin Fail2Ban
Start date:
13.05.2023
Due date:
% Done:
0%
Estimated time:
Discuss:
Prio Planung:
No
Vote:
Description
- Setup machen damit Fail2Ban automatisiert IPs sperrt.
- Setup in qfq.io/doc unter Security dokumentieren.
- Gewisse Fehler, z.B. 'Security: attack detected' werden via syslog gemeldent (konfigurierbar in QFQ). Fail2Ban agiert dann entsprechend
- In den QFQ/T3 Instanzen eine Seite einrichten die gesperrte IPs anzeigt, damit man schnell testen kann ob eine IP betroffen ist.
- Whitelist: IPs die nie gesperrt werden - z.B. UZH.
- Greylist: IPs die umgeleitet werden auf eine Seite 'Your IP has been blocked' - z.B. alle Schweizer IPs
- Integration eines IP/Geolocations Services.
- Neu gesperrte IPs sollen via Mail gemeldet werden.
- Bestehende Logfiles analysieren: klassische Versuche auf WP Dateien fuehren automatisch zu einer Sperrung der IP - da koennte z.B. ein cron job oder inotify daemon via fail2ban die IP sperren.
Beispiel Angriff:
[2022-10-23 03:48:38 / 45.227.253.6 / <no session cookie>] Security: attack detected
Problem: Post/Get Honeypot variable 'email' detected: 1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Post/Get Honeypot variable 'username' detected: 1
Post/Get Honeypot variable 'password' detected: 1
[2022-11-23 16:17:30 / 216.131.108.251 / 23r2ldp832obrii5t0oblg3i09] Security: attack detected
Problem: Value of GET variable 'sOIQ' too long. Allowed: 50, Length: 172. Value: '2408 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#'
[2022-12-28 02:21:54 / 45.81.39.101 / 2q5m8frmlchk9b0lndt3b00b1h] Security: attack detected
Problem: Value of GET variable 'CDRC' too long. Allowed: 50, Length: 172. Value: '4935 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#'
Related issues
Updated by Carsten Rose about 1 year ago
- Subject changed from IPs von Hacking Angriffen sperren - Integration voin Fail2Ban to Securitry: IPs von Hacking Angriffen sperren - Integration voin Fail2Ban
Updated by Carsten Rose about 1 year ago
- Subject changed from Securitry: IPs von Hacking Angriffen sperren - Integration voin Fail2Ban to Security: IPs von Hacking Angriffen sperren - Integration voin Fail2Ban
Updated by Carsten Rose 9 months ago
- Has duplicate Feature #15992: Block IP for failed logins added
Updated by Carsten Rose 9 months ago
- Has duplicate deleted (Feature #15992: Block IP for failed logins)
Updated by Carsten Rose 9 months ago
- Related to Feature #15992: Block IP for failed logins added
Actions