Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian ISP (http://www.linux-archive.org/debian-isp/)
-   -   Matching Suhosin entries with Fail2Ban (http://www.linux-archive.org/debian-isp/617631-matching-suhosin-entries-fail2ban.html)

Ross Halliday 01-05-2012 05:21 PM
Matching Suhosin entries with Fail2Ban
 
Hello fellow Debian ISPs,

This isn't necessarily ISP-specific but I'm hoping someone here might have had a similar experience. Or, if there is a better venue for my question I'd love to know.

I like blocking badness. Chances are, if an IP is sending me junk and trying to break things, I don't want to have anything to do with it. So, I'm trying to get Fail2Ban to match junk as logged by Suhosin. For the most part my regexes work, but yesterday I got a bunch of garbage along these lines:

Jan 4 11:53:47 homepage suhosin[17930]: ALERT - configured request variable name length limit exceeded - dropped variable '-J3^>;c#/m08N3eiCh}mZ6#VQz*FhG82oc_#wL%AWy@A*%<cx{_opL*_gT^ >0_H0oO-_w]V#/3'ZLp>V:`857niwx5_%,G,'FtmU":9Yr_6}H' (attacker '24.156.217.14', file '/var/www/speedtest/speedtest/upload.php')
Jan 4 11:53:47 homepage suhosin[17930]: ALERT - configured request variable name length limit exceeded - dropped variable 'FilB%_e*i20mxOi"P^pOWnQn>u_}5L,2<@]<q,SgB_0Xu'OZ4`D!}c6#skXR2(@zAcQ-p4r#AvpX,">J_l`e8"(<]Bk"_}@BUg_B30)?<d4kty*[:fD/P@0pt|5@]' (attacker '24.156.217.14', file '/var/www/speedtest/speedtest/upload.php')

My existing Fail2Ban regex filter looks like this:

suhosin[[[:digit:]]+]: ALERT - configured request variable value length limit exceeded - dropped variable '.*' (attacker '<HOST>', file '/var/www/speedtest/speedtest/upload.php')$

Replacing .* with [[:print:]]+ didn't seem to match that new garbage. I attempted [x20-x7E]+, but that returned "Invalid range end" from egrep. The only hits I found in searching related to this response are to do with character classes and locales which I don't think should really apply if you're specifying ASCII character numbers.

I apologize if this is obvious, but my searching only yielded the above.

Any suggestions would be welcome!

Thanks
---
Ross Halliday
Network Operations
WTC Communications

Office: 613-547-6939 x203
Helpdesk: 866-547-6939 option 2
http://www.wtccommunications.ca


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: C61048EF4F054A4ABBFC3E8B61D2E1F84A57E1B532@wtc-exchange.wtc.local">http://lists.debian.org/C61048EF4F054A4ABBFC3E8B61D2E1F84A57E1B532@wtc-exchange.wtc.local

Povl Ole Haarlev Olsen 01-05-2012 05:44 PM
Matching Suhosin entries with Fail2Ban
 
On Thu, 5 Jan 2012, Ross Halliday wrote:

Hello fellow Debian ISPs,

This isn't necessarily ISP-specific but I'm hoping someone here might have had a similar experience. Or, if there is a better venue for my question I'd love to know.

I like blocking badness. Chances are, if an IP is sending me junk and trying to break things, I don't want to have anything to do with it. So, I'm trying to get Fail2Ban to match junk as logged by Suhosin. For the most part my regexes work, but yesterday I got a bunch of garbage along these lines:

Jan 4 11:53:47 homepage suhosin[17930]: ALERT - configured request variable name length limit exceeded - dropped variable '-J3^>;c#/m08N3eiCh}mZ6#VQz*FhG82oc_#wL%AWy@A*%<cx{_opL*_gT^ >0_H0oO-_w]V#/3'ZLp>V:`857niwx5_%,G,'FtmU":9Yr_6}H' (attacker '24.156.217.14', file '/var/www/speedtest/speedtest/upload.php')
Jan 4 11:53:47 homepage suhosin[17930]: ALERT - configured request variable name length limit exceeded - dropped variable 'FilB%_e*i20mxOi"P^pOWnQn>u_}5L,2<@]<q,SgB_0Xu'OZ4`D!}c6#skXR2(@zAcQ-p4r#AvpX,">J_l`e8"(<]Bk"_}@BUg_B30)?<d4kty*[:fD/P@0pt|5@]' (attacker '24.156.217.14', file '/var/www/speedtest/speedtest/upload.php')

My existing Fail2Ban regex filter looks like this:

suhosin[[[:digit:]]+]: ALERT - configured request variable value length limit exceeded - dropped variable '.*' (attacker '<HOST>', file '/var/www/speedtest/speedtest/upload.php')$

Replacing .* with [[:print:]]+ didn't seem to match that new garbage. I attempted [x20-x7E]+, but that returned "Invalid range end" from egrep. The only hits I found in searching related to this response are to do with character classes and locales which I don't think should really apply if you're specifying ASCII character numbers.

I apologize if this is obvious, but my searching only yielded the above.


Your log messages says "variable name length", while your regex says
"variable value length".


--
Povl Ole "stderr" Haarlev Olsen


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: alpine.DEB.2.00.1201051941570.17683@noget.stderr.d k.localdomain">http://lists.debian.org/alpine.DEB.2.00.1201051941570.17683@noget.stderr.d k.localdomain

Ross Halliday 01-05-2012 05:58 PM
Matching Suhosin entries with Fail2Ban
 
> Your log messages says "variable name length", while your regex says
> "variable value length".
>
> --
> Povl Ole "stderr" Haarlev Olsen

Oh for the love of...

Thanks :) Works much better now. Guess I just needed a second set of eyes.

Sorry for the noise


---
Ross Halliday
Network Operations
WTC Communications

Office: 613-547-6939 x203
Helpdesk: 866-547-6939 option 2
http://www.wtccommunications.ca


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: C61048EF4F054A4ABBFC3E8B61D2E1F84A57E1B53C@wtc-exchange.wtc.local">http://lists.debian.org/C61048EF4F054A4ABBFC3E8B61D2E1F84A57E1B53C@wtc-exchange.wtc.local


All times are GMT. The time now is 05:28 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.