Skip to content

Instantly share code, notes, and snippets.

@christophlehmann

christophlehmann/fail2ban-filter-sql-scanner.conf

Created November 8, 2018 07:33
Show Gist options
  • Save christophlehmann/df3b7527602b7173a12c97ea8c67a03a to your computer and use it in GitHub Desktop.
Save christophlehmann/df3b7527602b7173a12c97ea8c67a03a to your computer and use it in GitHub Desktop.
Download ZIP
Apache log fail2ban sql injection scanner
Raw
fail2ban-filter-sql-scanner.conf
[Definition]
failregex = ^<HOST> .*UNION%%20SELECT%%20CHAR.*HTTP
^<HOST> .*select\*from.*HTTP
^<HOST> .*select%%20name_const.*HTTP
# Dev notes
#
# % must be escaped with '%'
Raw
fail2ban-jail-sql-scanner.conf
[sql-scanner]
enabled = true
port = http,https
maxretry = 2
bantime = 3600
logpath = /home/*/logs/access.log
action = %(action_mwl)s
@AcckiyGerman
Copy link

Hi, thanks for the example. Please let me improve it a bit:

  • I've notice you have a typo in the second REGEX - a backslash instead of dot: select\*from should be select.*from
  • I would make the filter case insensitive by adding (?i) prefix (documentation)
  • if somebody want to add this filter via Plesk interface, he should add ignoreregex = string, otherwise plesk doesn't show the filter when you add a jail (I've spent like an hour to find it out).

So in my case, to use it with Plesk, the filter looks like this:

[Definition]
failregex = (?i)^<HOST> .*UNION%%20SELECT%%20CHAR.*HTTP
        (?i)^<HOST> .*select.*from.*HTTP
        (?i)^<HOST> .*select%%20name_const.*HTTP

ignoreregex =

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment