mckelvey · June 7, 2019 09:19 · mckelvey · Jan 24, 2014
diff --git a/apache-livewhale.conf b/apache-livewhale.conf
 # Fail2Ban configuration file
 #
 # Intended to assist in protecting LiveWhale from malicious use
 # of injection and vulnerabilty scanners such as:
 #
 # Acunetix Web Vulnerabilty Scanner
 # Unknown Scanner (dubbed KIDC below)
 # Unknown Scanner (dubbed RIPE below)
 #
 # Note: if you use penetration software for testing, add the server ip
 # to your whitelist to freely use it, but prevent others.
 # 
 # Author: David W. McKelvey, White Whale Web Services, Inc.
 #
 # $Revision$
 #

 [INCLUDES]

 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf

 [Definition]

 acunetix = response\.write\(\d+\*\d+\)|now\(\)|sysdate\(\)|sleep\(\d*\)|waitfor delay|pg_sleep\(\d*\)|';|' AND|" AND|set\|set\&set|SomeCustomInjectedHeader|;select
 acunetix_invalid = /etc/|/invalid
 kidc = GetSimple_2\.01|Factux|Madirish_Webmail|idioma|jevoncms|facil-cms|phpunity\.newsmanager|dloadstplates|phpdirectorgameedition|tendersystem|mariecms|microcms|micro_cms_files|vtigercrm|dnet_admin|FunGamez|kipper20|skysilver
 ripe = ACGVnews|AdaptCMS_Lite_1\.4_2|BetaBlockModules|Contenido_4\.8\.4|DFF_PHP_FrameworkAPI-latest|Dir_phNNTP|DynaTracker_v151|Easysite-2\.0_path|FormTools1_5_0|Mamblog|NuclearBB|OpenSiteAdmin|PHPDJ_v05|SPIP-v1-7-2|SQuery|SazCart|WordPress_Files|advanced_comment_system|modx-0\.9\.6\.2|mxBB|olbookmarks-0\.7\.4|ossigeno-suite-2\.2_pre1|phpAdsNew-2\.0\.7|phpBB2|phpMyConferences_8\.0\.2|phpQLAdmin-2\.2\.7|phpSiteBackup-0\.1|plume-1\.1\.3|pmapper-3\.2-beta3|pmi_v28|podcastgen1\.0beta2|post_static_0-11|qsgen_0\.7\.2c
 ripe_nostat = 123flashchat|BE_config|CoupleDB|MOD_forum_fields_parse|addvip|admin\.loudmouth|anzagien|auth\.sessions\.inc|b2verifauth|bb_admin|ch_readalso|cls_fast_template|ezusermanager_pwd_forgott|fcring|fonctions_racine|hioxBannerRotate|functions_user_viewed_posts|pafiledb_constants|themen_portal_mitte|usercp_register|migrateNE2toNE3|naboard_pnr|nukebrowser|php-include-robotsservices

 # Option:  failregex
 # Notes.:  Regexp to catch vulnerability scanners.
 # Values:  TEXT
 #
 failregex = ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*(%(acunetix)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*Invalid URI in request .*(%(acunetix_invalid)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(kidc)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(ripe)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*script .*/(%(ripe_nostat)s)\.php.* unable to stat$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
diff --git a/jail.local b/jail.local
 [apache-livewhale]

 enabled  = true
 port     = http,https
 filter   = apache-livewhale
 logpath  = /var/log/apache*/*error.log
 maxretry = 2
 bantime  = ###
 findtime = ###
	# Fail2Ban configuration file
	#
	# Intended to assist in protecting LiveWhale from malicious use
	# of injection and vulnerabilty scanners such as:
	#
	# Acunetix Web Vulnerabilty Scanner
	# Unknown Scanner (dubbed KIDC below)
	# Unknown Scanner (dubbed RIPE below)
	#
	# Note: if you use penetration software for testing, add the server ip
	# to your whitelist to freely use it, but prevent others.
	#
	# Author: David W. McKelvey, White Whale Web Services, Inc.
	#
	# $Revision$
	#

	[INCLUDES]

	# Read common prefixes. If any customizations available -- read them from
	# common.local
	before = common.conf

	[Definition]

	acunetix = response\.write\(\d+\\d+\)\|now\(\)\|sysdate\(\)\|sleep\(\d\)\|waitfor delay\|pg_sleep\(\d*\)\|';\|' AND\|" AND\|set\\|set\&set\|SomeCustomInjectedHeader\|;select
	acunetix_invalid = /etc/\|/invalid
	kidc = GetSimple_2\.01\|Factux\|Madirish_Webmail\|idioma\|jevoncms\|facil-cms\|phpunity\.newsmanager\|dloadstplates\|phpdirectorgameedition\|tendersystem\|mariecms\|microcms\|micro_cms_files\|vtigercrm\|dnet_admin\|FunGamez\|kipper20\|skysilver
	ripe = ACGVnews\|AdaptCMS_Lite_1\.4_2\|BetaBlockModules\|Contenido_4\.8\.4\|DFF_PHP_FrameworkAPI-latest\|Dir_phNNTP\|DynaTracker_v151\|Easysite-2\.0_path\|FormTools1_5_0\|Mamblog\|NuclearBB\|OpenSiteAdmin\|PHPDJ_v05\|SPIP-v1-7-2\|SQuery\|SazCart\|WordPress_Files\|advanced_comment_system\|modx-0\.9\.6\.2\|mxBB\|olbookmarks-0\.7\.4\|ossigeno-suite-2\.2_pre1\|phpAdsNew-2\.0\.7\|phpBB2\|phpMyConferences_8\.0\.2\|phpQLAdmin-2\.2\.7\|phpSiteBackup-0\.1\|plume-1\.1\.3\|pmapper-3\.2-beta3\|pmi_v28\|podcastgen1\.0beta2\|post_static_0-11\|qsgen_0\.7\.2c
	ripe_nostat = 123flashchat\|BE_config\|CoupleDB\|MOD_forum_fields_parse\|addvip\|admin\.loudmouth\|anzagien\|auth\.sessions\.inc\|b2verifauth\|bb_admin\|ch_readalso\|cls_fast_template\|ezusermanager_pwd_forgott\|fcring\|fonctions_racine\|hioxBannerRotate\|functions_user_viewed_posts\|pafiledb_constants\|themen_portal_mitte\|usercp_register\|migrateNE2toNE3\|naboard_pnr\|nukebrowser\|php-include-robotsservices

	# Option: failregex
	# Notes.: Regexp to catch vulnerability scanners.
	# Values: TEXT
	#
	failregex = ^\[[^\]]+\] \[error\] \[client <HOST>\].File does not exist: .(%(acunetix)s).*$
	^\[[^\]]+\] \[error\] \[client <HOST>\].Invalid URI in request .(%(acunetix_invalid)s).*$
	^\[[^\]]+\] \[error\] \[client <HOST>\].File does not exist: ./(%(kidc)s)$
	^\[[^\]]+\] \[error\] \[client <HOST>\].File does not exist: ./(%(ripe)s)$
	^\[[^\]]+\] \[error\] \[client <HOST>\].script ./(%(ripe_nostat)s)\.php.* unable to stat$

	# Option: ignoreregex
	# Notes.: regex to ignore. If this regex matches, the line is ignored.
	# Values: TEXT
	#
	ignoreregex =
	[apache-livewhale]

	enabled = true
	port = http,https
	filter = apache-livewhale
	logpath = /var/log/apache/error.log
	maxretry = 2
	bantime = ###
	findtime = ###