fail2ban apache noscript

[rolapp]

Ich brauche mal Hilfe von Regex Experten.
Über folgende log Einträge ist ja hier schon ein paar mal berichtet worden.

access.log:

64.45.194.139 - - [22/Dec/2013:12:34:47 +0100] "GET / HTTP/1.0" 400 0 "-" "-"
64.45.194.139 - - [22/Dec/2013:12:34:47 +0100] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 500 2174 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
64.45.194.139 - - [22/Dec/2013:12:34:48 +0100] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 500 2174 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
64.45.194.139 - - [22/Dec/2013:12:34:49 +0100] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 2862 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
64.45.194.139 - - [22/Dec/2013:12:34:49 +0100] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 2862 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
64.45.194.139 - - [22/Dec/2013:12:34:50 +0100] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 2862 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

die passende error.log

[Sun Dec 22 12:34:47.731976 2013] [cgi:error] [pid 25863] [client 64.45.194.139:34789] malformed header from script 'php': Bad header: <b>Security Alert!</b> The PHP
[Sun Dec 22 12:34:48.423929 2013] [cgi:error] [pid 25865] [client 64.45.194.139:35493] malformed header from script 'php5': Bad header: <b>Security Alert!</b> The PHP
[Sun Dec 22 12:34:49.005986 2013] [cgi:error] [pid 27412] [client 64.45.194.139:35829] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Sun Dec 22 12:34:49.604787 2013] [cgi:error] [pid 25864] [client 64.45.194.139:36244] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi
[Sun Dec 22 12:34:50.172920 2013] [cgi:error] [pid 27411] [client 64.45.194.139:36415] script not found or unable to stat: /usr/lib/cgi-bin/php4

Ich habe jetzt den Filter apache-noscript aktiviert.

failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$

Ich habe da jetzt nichts geändert und der Pfad zur log-Datei stimmt auch.

[apache-noscript]

enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 2
findtime = 86400

findtime habe ich testweise hochgesetzt
fail2ban selbstverständlich neu gestartet.
hab es auf der Konsole mit fail2ban-regex

fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-noscript.conf 

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-noscript.conf
Use log file   : /var/log/apache2/error.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^\[[^]]+\] \[error\] \[client <HOST>\] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
|  [2] ^\[[^]]+\] \[error\] \[client <HOST>\] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Das sollte doch eigentlich funktionieren, oder stehe ich einfach nur auf der Leitung.

System ist der isgenug von OVH mit Ubuntu 12.04 ohne Plesk

Hab jetzt fail2ban auf dem ssh Port getestet das funktioniert.

Schon mal Danke

 

[sbr2d2]

Frag doch mal bei Neutrino nach, der hat ähnliche Zugriffe und hat da wohl für fail2ban passende regex-regeln am laufen. Hier das Thema dazu

 

[rolapp]

Danke schon mal für die Antwort, das hatte ich schon gelesen.
Die log-Einträge nerven nur einfach.