Blocking PHP Injection attack on Apache Web Server with Fail2ban

Recently I had a  terrible time from attackers on my customer website.  Customer was running the  wordpress lover version.The attack was mainly exploiting the security issues  associated with the  lower version.

Below are the steps we took to block these attack on Apache Web server. The steps are specific to Ubunu/Debian. But the similar configuration works for Fedora or Centos.

1. Install fail2ban package from the the apt-get repository with

#apt-get install fail2ban.

2. Fail2ban configuration files are available at /etc/fail2ban

Our main interest is in  php-url-fopen.conf  configuration file.   Edit  this file. The sample configuration will show as below:

[Definition]

# Option:  failregex
# Notes.:  regex to match this kind of request:
#
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
#
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Our  interest is mainly on the  failregex. Based on that regular expression fail2ban add the  iptable rule if the client requested url matches with the  regular expression. For example  in this particular case  the apache access logs were showing POST request to a particular pattern <filename.php>.  You need to go through the apache access logs and derive the appropriate regular expression.

So I have put the regular expression as below:

failregex = ^<HOST> -.*(GET|POST).*filename.php

You can also put ignoreregex on the below to avoid  false positives.

3. Next  we need to specify this filter details in the jail.conf under /etc/fail2ban. You have to add  configs as below:

[php-url-fopen]
enabled = true
port    = http
filter  = php-url-fopen
logpath = /var/www/*/logs/<virtualhostname>-access_log
maxretry = 1

Where php-url-fopen is the filter name . Fail2ban will add a iptable chain with the same name.You may select port as  http and https if available.  Then logpath  is the path name of appropriate  apache access log file.  You may have to

select the correct virtualhost access log file to get this working.  It is always better to keep maxretry=1 as  most of  attacks will be happeningfrom  a server with IP Address rotation. So Second attempt will most likely from another IP address.

After that restart the fail2ban as

/etc/init.d/fail2ban restart

Now. You have to check whether your  settings are working. This can be done either checking the /var/log/fail2ban.log file where you can see the  banned IP address details or with Iptables list as below

root@server:/etc/fail2ban/filter.d# /sbin/iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-php-url-fopen  tcp  —  0.0.0.0/0            0.0.0.0/0            multiport dports 80
fail2ban-ssh  tcp  —  0.0.0.0/0            0.0.0.0/0            multiport dports 22
DROP       tcp  —  79.85.124.225        0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  —  122.166.3.167        0.0.0.0/0            tcp dpt:80
DROP       udp  —  174.76.228.0/24      0.0.0.0/0
DROP       tcp  —  174.76.228.0/24      0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-php-url-fopen (1 references)
target     prot opt source               destination
DROP       all  —  187.131.214.217      0.0.0.0/0
DROP       all  —  80.219.129.71        0.0.0.0/0
DROP       all  —  85.171.109.243       0.0.0.0/0
DROP       all  —  84.101.176.41        0.0.0.0/0
DROP       all  —  178.19.168.72        0.0.0.0/0
DROP       all  —  194.51.146.149       0.0.0.0/0
DROP       all  —  201.238.145.51       0.0.0.0/0
DROP       all  —  93.145.203.186       0.0.0.0/0
DROP       all  —  78.225.145.131       0.0.0.0/0
DROP       all  —  190.92.43.185        0.0.0.0/0
DROP       all  —  78.224.112.33        0.0.0.0/0
DROP       all  —  90.13.134.171        0.0.0.0/0
DROP       all  —  112.215.66.64        0.0.0.0/0
DROP       all  —  201.144.130.21       0.0.0.0/0
DROP       all  —  2.33.135.177         0.0.0.0/0
DROP       all  —  83.43.62.99          0.0.0.0/0
DROP       all  —  41.102.220.228       0.0.0.0/0
DROP       all  —  41.204.104.154       0.0.0.0/0
DROP       all  —  92.153.43.218        0.0.0.0/0
DROP       all  —  46.227.184.154       0.0.0.0/0
DROP       all  —  82.229.250.10        0.0.0.0/0
DROP       all  —  186.68.146.111       0.0.0.0/0
DROP       all  —  93.44.96.202         0.0.0.0/0
DROP       all  —  190.49.250.39        0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

You can see that  on the Chain ‘fail2ban-php-url-fopen’   attackers IP Address are getting droped.

On the jail.conf file you can specify how long the  IP address need to be kept in the block list.

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply