troglogeek / fail2ban-apache-sqlinject Goto Github PK
View Code? Open in Web Editor NEWA fail2ban filter used to react to some forms of SQL injections using GET parameters
License: GNU General Public License v3.0
A fail2ban filter used to react to some forms of SQL injections using GET parameters
License: GNU General Public License v3.0
This regex can catch legit lines. Here is an example:
XX.XX.XX.XX - - [date] "GET /wp-admin/options-general.php?page=wp-updates-notifier&settings-updated=true HTTP/1.1" 200 24177 "http://domain.tld/wp-admin/options-general.php?page=wp-updates-notifier" "User-Agent"
The sqlfragments_generic
will match on update.*set
.
If a find a solution I will keep you posted.
Thanks for posting this filter; it has been useful.
I had several Wordpress users blocked due to false positives, which I traced to the following line. To resolve the problem I changed the following line to add spaces around the keywords; real sql attempts must have spaces around words such as 'update' and 'set'. The following is one long line.
sqlfragments_generic = select(+|%%20).(+|%%20)from|delete(+|%%20).(+|%%20)from|update(+|%%20).(+|%%20)set|insert(+|%%20).(+|%%20)into|replace(+|%%20).*(+|%%20)(value|set)
Hi, your log filter is exactly what I was looking for but I can't get it to catch the following log entry. Should it or do I need to modify it somehow?
172.56.17.13 - - [25/Sep/2014:13:19:41 -0700] "mysitesdomain.com/go.php?siteid=936141763%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20" 404 115 "-" "Mozilla/5.0 (Linux; Android 4.4.4; Nexus 5 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.117 Mobile Safari/537.36"
My website recently got hit with a bunch of SQL Injection attempts, none of which appear to have been successful, but these miscreants need to be dealt with. I run fail2ban and found your filter high in the Google Search. When I tested your filter against my logs, it flagged some lines but missed a lot that looked decidedly suspicions. Some were due to uppercase SELECT or UNION. Others I suspect are the way the hackers are creating the SELECT/UNION commands on the fly.
Have you considered re-activating this project? I am a newbie at regex, but am willing to help.
Thanks, Norbert
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.