iAugur · April 8, 2022 09:57
diff --git a/README.md b/README.md
diff --git a/apache-ua-sql.conf b/apache-ua-sql.conf
 # Fail2Ban configuration file
 #
 # Author: https://gist.github.com/iAugur
 #
 #

 [Definition]

 # Option:  failregex
 # Notes.:  regex to match injection attempts in UA string
 # examples: UserAgent string  "-1' OR 2+787-787-1=0+0+0+1 --" and "1 \xc0\xa7\xc0\xa2"
 # Values:  TEXT
 # Test  :  fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-ua-sql.conf --print-all-matched

 failregex = ^<HOST> .*(-1 OR 2\+102-102-1=0\+0\+0\+1|1 \\xc0\\xa7\\xc0\\xa2).*$


 # Option: ignoreregex
 # Notes.: regex to ignore. If this regex matches, the line is ignored.
 #         This stops your Drupal log CMS watchdog visits from triggering the ban, omit if not on Drupal
 # Values: TEXT
 ignoreregex = '^<HOST> .*(\/admin\/reports\/dblog).*$'

 datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}
diff --git a/example-log-lines.log b/example-log-lines.log
 # the following is a redaced real world example with 3 hits and 2 ignored
 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/somebadua HTTP/1.1" 200 14488 "https://www.example.com:443/" "-1' OR 2+787-787-1=0+0+0+1 --"
 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/someokua HTTP/1.1" 200 14488 "https://www.example.com:443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/somebadua2 HTTP/1.1" 200 14488 "https://www.example.com:443/" "1 \xc0\xa7\xc0\xa2"
 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /sites/somebadua HTTP/1.1" 403 89094 "-1 OR 2+102-102-1=0+0+0+1 --" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/someokua HTTP/1.1" 200 15265 "https://www.example.com:443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
diff --git a/jail-local.conf b/jail-local.conf
 # add to your jail.local
 # omit any entries to use your defaults (e.g. banaction etc)
 [apache-ua-sql]
 enabled = true
 filter = apache-ua-sql
 port = hhtp,https
 logpath = /var/log/apache2*/*access.log
 bantime = 604800
 banaction = iptables-allports
 findtime = 60
 maxretry = 3
	# Fail2Ban configuration file
	#
	# Author: https://gist.github.com/iAugur
	#
	#

	[Definition]

	# Option: failregex
	# Notes.: regex to match injection attempts in UA string
	# examples: UserAgent string "-1' OR 2+787-787-1=0+0+0+1 --" and "1 \xc0\xa7\xc0\xa2"
	# Values: TEXT
	# Test : fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-ua-sql.conf --print-all-matched

	failregex = ^<HOST> .(-1 OR 2\+102-102-1=0\+0\+0\+1\|1 \\xc0\\xa7\\xc0\\xa2).$


	# Option: ignoreregex
	# Notes.: regex to ignore. If this regex matches, the line is ignored.
	# This stops your Drupal log CMS watchdog visits from triggering the ban, omit if not on Drupal
	# Values: TEXT
	ignoreregex = '^<HOST> .(\/admin\/reports\/dblog).$'

	datepattern = ^[^\[]*\[({DATE})
	{^LN-BEG}
	# the following is a redaced real world example with 3 hits and 2 ignored
	122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/somebadua HTTP/1.1" 200 14488 "https://www.example.com:443/" "-1' OR 2+787-787-1=0+0+0+1 --"
	122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/someokua HTTP/1.1" 200 14488 "https://www.example.com:443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
	122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/somebadua2 HTTP/1.1" 200 14488 "https://www.example.com:443/" "1 \xc0\xa7\xc0\xa2"
	122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /sites/somebadua HTTP/1.1" 403 89094 "-1 OR 2+102-102-1=0+0+0+1 --" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
	122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/someokua HTTP/1.1" 200 15265 "https://www.example.com:443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21"
	# add to your jail.local
	# omit any entries to use your defaults (e.g. banaction etc)
	[apache-ua-sql]
	enabled = true
	filter = apache-ua-sql
	port = hhtp,https
	logpath = /var/log/apache2/access.log
	bantime = 604800
	banaction = iptables-allports
	findtime = 60
	maxretry = 3