Apache & Fail2ban: защита веб-сервера от слепых атак перебором

Задача: защитить веб-сервер Apache2 от атак слепого перебора багов возможной CMS сайта типа такого:

surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /install.php?phpbb_root_di r=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"<br />
surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /mantis/login_page.php?g_meta_inc _dir=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"<br />
surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /page.php?template=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"<br />
surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /phorum/admin/actions/del.php?include_path=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"<br />
surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:11 +0000] "GET /pollensondage.inc.php?app _path=../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"<br />
surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:40 +0000] "GET /joomla/index.php?option=com_sbsfile&controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_rokdownloads&controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_sectionex&controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_ganalytics&controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_janews&controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"surdoserver.ru:80 127.0.0.1 - - [23/Dec/2011:07:20:41 +0000] "GET /joomla/index.php?option=com_linkr&controller= ../../../../../../../proc/self/environ%00 HTTP/1.0" 404 3449 "-" "<?php system(\"id\"); ?>"

Решение: использовать opensource фильтр-монитор атак Fail2ban для различных сервисов (vsftp, ssh, Apache и пр.). Для этого:

  1. Создаем файл /etc/fail2ban/filter.d/apache-404.conf
  2. Вписываем в него следующее:
    [Definition]
    failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "
    ignoreregex = favicon\.ico
    
  3. В файл /etc/fail2ban/jail.local добавляем:
    [apache-404]
    
    enabled = true
    port = http,https
    filter = apache-404
    logpath = /var/log/apache*/*access.log
    bantime = 3600
    findtime = 600
    maxretry = 5
    
  4. Перезагружаем fail2ban командой в консоли:
    /etc/init.d/fail2ban restart