Nginx
Fail2ban 不禁止嘗試的 sql 注入
我每天都會收到大量看起來相似的 sql 注入嘗試。訪問日誌的片段顯示:
8222 24.247.182.172 - - [09/Nov/2018:08:47:25 -0600] ***************.com "GET /Add_Product.php?strPhotoID=VA1209&price_selected=2+union+select+0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526--&page_id=912 HTTP/1.1" 302 0 "https://www.***************.com/Add_Product.php?strPhotoID=VA1209&price_selected=2+union+select+0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526--&page_id=912" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-"
這是 jail.local 中的配置:
[sql-union-select-attack] enabled = true filter = sql-union-select-attack logpath = /var/log/nginx/*access.log port = 8221,8222,8231,8232 maxretry = 1 findtime = 10 bantime = -1 action = iptables-allports[name=sqlUnionSelect]
這是過濾器(sql-union-select-attack.conf):
#The SQL Injection attempt with "union+select+" in the URL [Definition] failregex = ^\d{4} <HOST> -.*\"(GET|POST).*/Add_Product.php.*union
然而我在這裡,沒有得到任何禁令,如圖所示
fail2ban-client status sql-union-select-attack root@web4:/etc/fail2ban# fail2ban-client status sql-union-select-attack Status for the jail: sql-union-select-attack |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/nginx/**************.access.log /var/log/nginx/access.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
這裡發生了什麼?我的 jail.local 配置有問題嗎?
編輯
感謝邁克爾漢普頓的回答,它現在似乎正在工作。我有一個 bash 腳本,可以讓我選擇一個監獄來獲取狀態:
root@web4:/etc/fail2ban# get_jail_status http-get-dos http-post-dos magento-url megaindex-crawler-spam nginx-499 nginx-aspx-url sql-directory-attempt sql-union-select-attack sshd Please enter the jail you would like to check: sql-union-select-attack Status for the jail: sql-union-select-attack |- Filter | |- Currently failed: 0 | |- Total failed: 2 | `- File list: /var/log/nginx/**************.access.log /var/log/nginx/access.log `- Actions |- Currently banned: 5 |- Total banned: 5 `- Banned IP list: 142.163.212.50 217.61.108.219 37.59.8.29 207.228.228.8 162.144.126.204
如果我選擇其中一個 IP 地址並在 iptables 中檢查它,它會出現:
root@web4:/etc/fail2ban# iptables -L -v -n | grep 142.163.212.50 0 0 REJECT all -- * * 142.163.212.50 0.0.0.0/0 reject-with icmp-port-unreachable
所以它似乎正在工作!
Fail2ban 需要安裝 pyinotify 才能讀取日誌文件,而不是通過 systemd 日誌。如果未安裝,則應安裝或重新安裝。例如:
sudo apt-get install python-pyinotify
之後,重新啟動 fail2ban 並等待幾分鐘,讓它瀏覽現有的日誌文件。
(從技術上講,它也可以使用 gamin,但從歷史上看,這並不是很可靠……)