• Stars
    star
    168
  • Rank 225,507 (Top 5 %)
  • Language
    Shell
  • License
    Other
  • Created over 6 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This custom Fail2Ban filter and jail will deal with all scans for common Wordpress, Joomla and other Web Exploits being scanned for by automated bots and those seeking to find exploitable web sites.

Fail2Ban.WebExploits

This custom Fail2Ban filter and jail will deal with all scans for common Wordpress, Joomla, Drupal and other Web Exploits being scanned for by automated bots and those seeking to find exploitable web sites.

Buy me Coffee


Version: V0.1.27

Total Exploits: 286


  • Skill Level: Advanced

❗ CAUTION ❗ Be sure you know why you are going to use this filter before simply deploying it ❗

I hold no responsibility for any problems this may cause you. You need to have a thorough understanding of Fail2Ban especially whitelisting. You also need to make sure that if you have ANY of the plugins, templates, folders or files shown in these exploit scan signatures then make sure you stop using such plugins or themes and rename any folders or files to something more suitable. You could very easily block out yourself or your own users. Please take caution with this filter.

How To Use This Filter

1 - Copy the webexploits.conf file from the repository to your server

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban.WebExploits/master/webexploits.conf -O /etc/fail2ban/filter.d/webexploits.conf


2 - Create the Jail Config in your jail.local file

sudo nano /etc/fail2ban/jail.local

Paste the contents below into your jail.local file

For NGINX

[webexploits]
enabled  = true
port     = http,https
filter   = webexploits
logpath = %(nginx_access_log)s
maxretry = 3

For APACHE

[webexploits]
enabled  = true
port     = http,https
filter   = webexploits
logpath = %(apache_access_log)s
maxretry = 3

3 - Test the filter against some of your log files

fail2ban-regex /var/log/nginx/myweb-access.log /etc/fail2ban/filter.d/webexploits.conf

You will see output something like this

Running tests
=============

Use   failregex filter file : webexploits, basedir: /etc/fail2ban
Use         log file : /var/log/nginx/mitchellkrog.com-REDIRECTS-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 391 total
|-  #) [# of hits] regular expression
|   1) [105] ^<HOST> -.*GET.*(/.git/config)
|   3) [16] ^<HOST> -.*GET.*(/administrator/index.php)
|   4) [2] ^<HOST> -.*GET.*(/administrator/manifests/files/joomla.xml)
|   6) [6] ^<HOST> -.*GET.*(/ckupload.php)
|   8) [5] ^<HOST> -.*GET.*(/components/com_adsmanager/js/fullnoconflict.js)
....
....
....
|  68) [9] ^<HOST> -.*GET.*(/wp-content/plugins/wysija-newsletters/readme.txt)
|  69) [1] ^<HOST> -.*GET.*(/wp-content/themes/deep-blue/megaframe/megapanel/inc/functions.php)
|  70) [4] ^<HOST> -.*GET.*(/wp-content/themes/u-design/style.css)
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [4262] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 4262 lines, 0 ignored, 391 matched, 3871 missed [processed in 2.50 sec] 
Missed line(s): too many to print.  Use --print-all-missed to print all 3871 lines

This confirms the webexploits.conf file is detecting hits in your logs for the exploits it covers.


4 - Restart the fail2Ban Service

sudo service fail2ban stop && sudo service fail2ban start


5 - Monitor your email for new notifications that this filter will now be sending.


6 - Stay up to date

As new threats and vulnerable plugins and themes are detected all the time this filter is constantly updated so it's a good idea to keep a regular check here for new updates.


7 - Consider Perma-Banning

Have a look at the Fail2Ban Blacklist JAIL for Repeat Offenders which enables perma-banning on Fail2Ban for Repeat Offenders,

A list of BAD IP's is available from here which is generated using this Perma-Ban filter and used within the awesome Ultimate Hosts Blacklist.


If This This Project helped you out, help support it

Buy me Coffee


SOME OTHER AWESOME FREE PROJECTS


INTO PHOTOGRAPHY?

Come drop by and visit me at mitchellkrog.com or Facebook or Follow Me on Twitter Follow @MitchellKrog


MIT License

Copyright (c) 2017 Mitchell Krog - [email protected]

https://github.com/mitchellkrogza

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

More Repositories

1

nginx-ultimate-bad-bot-blocker

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Shell
3,915
star
2

Phishing.Database

Phishing Domains, urls websites and threats database. We use the PyFunceble testing tool to validate the status of all known Phishing domains and provide stats to reveal how many unique domains used for Phishing are still active.
Shell
1,099
star
3

apache-ultimate-bad-bot-blocker

Apache Block Bad Bots, (Referer) Spam Referrer Blocker, Vulnerability Scanners, Malware, Adware, Ransomware, Malicious Sites, Wordpress Theme Detectors and Fail2Ban Jail for Repeat Offenders
C
799
star
4

The-Big-List-of-Hacked-Malware-Web-Sites

This repository contains a list of all web sites I come across that are either hacked with or purposefully hosting malware, ransomware, viruses or trojans.
Shell
269
star
5

Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning

A customised jail with action and filter file for Fail2Ban. This jail is based on the recidive jail but makes use of a simple text file to enable extended and permanent bans.
150
star
6

Badd-Boyz-Hosts

A hosts file for use on any operating system to block bad domains out of your servers or devices.
Shell
105
star
7

linux-server-administration-scripts

Simple bash administration scripts for Linux to make your life easier.
Shell
62
star
8

fail2ban-useful-scripts

A collection of useful scripts for automation of & easing maintenance of Fail2Ban
Shell
47
star
9

phishing

Central Repository for Adding Domains / Links to the Phishing.Database project - https://github.com/mitchellkrogza/Phishing.Database/
Shell
46
star
10

Suspicious.Snooping.Sniffing.Hacking.IP.Addresses

A daily updated list of suspicious, snooping, sniffing and hacking attempts from IP addresses against services like SSH, HTTP and Wordpress Hack Attempts
Shell
38
star
11

Stop.Google.Analytics.Ghost.Spam.HOWTO

How to stop Google Analytics "Ghost" Spam using a well curated list of spam referrer domains and web sites. Simple and easy to use with instructions for creating Segments in Google Analytics using our google-exclude files.
Shell
31
star
12

Badd-Boyz-Bitcoin-Scammers

A list of bitcoin addresses being used in Ransomware and Sextortion Scams
12
star
13

Travis-CI-Nginx-for-Testing-Nginx-Configuration

How to get Travis CI to test Nginx code including nginx.conf, vhosts and custom nginx code you have written and need to test using Travis CI's build checker.
Shell
11
star
14

Travis-CI-for-Apache-For-Testing-Apache-and-PHP-Configurations

How to get Travis CI to test Apache code including vhosts and custom apache code like .htaccess rules or other scripts you have written and need to test using Travis CI's build checker.
Shell
11
star
15

Top-Attacking-IP-Addresses-Against-Wordpress-Sites

Lists of the top attacking IP addresses trying to hack or compromise Wordpress web sites.
Shell
8
star
16

Global-List-Facebook-Groups-Keyword-Moderation-Alerts

The Global List of Facebook Groups Keywords for Moderation Alerts
Shell
6
star
17

phisherman

Extensible open source phishing incident response automation
Java
4
star
18

Badips.com-Hosts-File-Generator

A simple shell script to pull a daily list of known bad hosts from badips.com and create an /etc/hosts.deny file for you. Only hosts with a level 5 (bad) are pulled daily from badips.com
Shell
3
star
19

scripts

Scripts for servers, desktops, fun
Python
2
star
20

Badd-Boyz-Porn

Maintained list of porn sites mostly detected running referrer spam campaigns against your web site.
2
star
21

fail2ban-wiki

Fail2Ban Wiki Contributions
2
star
22

CoinBlockerLists

Simple lists that can help prevent cryptomining in the browser or other applications.
1
star