===== Protection anti-robots par reaction ===== Nous utilisons [[https://blog.ppom.me/fr-reaction/|reaction]], une alternative efficiente à fail2ban, pour bannir temporairement les adresses à l'origine d'un comportement abusif. On considère comme abusif, notamment : les requêtes envoyées à nos systèmes à un rythme trop élevé, les activités de reconnaissance de nos systèmes, les tentatives d'exploitation de vulnérabilités réelles ou supposées de nos systèmes, les requêtes malformées.... ==== Filtres pour nginx ==== filters: { // nginx's default combined log format: // $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" // Ban suspect HTTP requests // Those are frequent malicious requests I got from bots // Make sure you don't have honnest use cases for those requests, or your clients may be banned for 2 weeks! suspectRequests: { regex: import 'reaction/nginx_regex.jsonnet', retry: 2, retryperiod: '6h', actions: banFor('48h'), }, bruteForce: { regex: [ // POST request leading to response "403 Forbidden", // such as a failed login attempt. @'^ - [^\[]+\[[^\]]+\] "POST [^"]*" 403', // Response "429 Too Many Requests" @'^ - [^\[]+\[[^\]]+\] "[^"]*" 429', ], retry: 4, retryperiod: '6h', actions: banFor('6h'), }, }, [ // Response "400 Bad request" if query type not GET nor POST @'^ - [^\[]+\[[^\]]+\] "[^PG][^"]*" 400', @'^ - [^\[]+\[[^\]]+\] "[^"][^OE][^"]*" 400', @'^ - [^\[]+\[[^\]]+\] "[^"]{2}[^ST][^"]*" 400', // (?:[^/" ]*/)* is a "non-capturing group" regex that allow for subpath(s) // example: /code/.env should be matched as well as /.env // ^^^^^ @'^.*"GET /(?:[^/" ]*/)*\.aws/', @'^.*"GET /(?:[^/" ]*/)*\.env ', @'^.*"GET /(?:[^/" ]*/)*\.git/config ', @'^.*"GET /(?:[^/" ]*/)*auth.html ', @'^.*"GET /(?:[^/" ]*/)*auth1.html ', @'^.*"GET /(?:[^/" ]*/)*password.txt ', @'^.*"GET /(?:[^/" ]*/)*passwords.txt ', @'^.*"GET /(?:[^/" ]*/)*dns-query ', @'^.*"GET /(?:[^/" ]*/)*info\.php[^"]*" 4[0-9][0-9]', @'^.*"GET /(?:[^/" ]*/)*phpinfo\.php[^"]*" 4[0-9][0-9]', @'^.*"GET /(?:[^/" ]*/)*wp-content/[^"]*\.php[^"]*" 4[0-9][0-9]', @'^.*"GET /(?:[^/" ]*/)*wp-login\.php[^"]*" 4[0-9][0-9]', @'^.*"GET /(?:[^/" ]*/)*wp-includes[^"]*" 4[0-9][0-9]', @'^.*"GET /(?:[^/" ]*/)*xmlrpc\.php[^"]*" 4[0-9][0-9]', @'^.*"GET /(?:[^/" ]*/)*config\.json [^"]*" 4[0-9][0-9]', // Likely scanning or recon @'^.*"GET /(?:[^/" ]*/)*\.DS_Store [^"]*" 4[0-9][0-9]', // macOS @'^.*"GET /(?:[^/" ]*/)*api/v2/hoverfly/version [^"]*" 4[0-9][0-9]', // Hoverfly @'^.*"GET /(?:[^/" ]*/)*ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application[^"]*" 4[0-9][0-9]', // Microsoft Exchange eDiscovery @'^.*"GET /json/login_session [^"]*" 4[0-9][0-9]', // HP iLO remote console @'^.*"GET /owa/auth/logon.aspx [^"]*" 4[0-9][0-9]', // Microsoft Exchange @'^.*"GET /photo/webapi/query\.[^"]*" 4[0-9][0-9]', // Synology PhotoStation API // Likely exploit attempts @'^.*"GET /(?:[^/" ]*/)*phpunit/(?:[^/" ]*/)*Util/PHP/eval-stdin.php', // CVE-2017-9841 @'^.*"GET /(?:[^/" ]*/)*autodiscover\.json[^"]*@[^"]*[Pp]ower[Ss]hell', // CVE-2022-41082 @'^.*"GET /owa/auth/x.js [^"]*" 4[0-9][0-9]', // CVE-2021-26855 @'^.*"GET /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal @'^.*"POST /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal // Unusual QUERY type (WebDav, ...) with an error response @'^ - [^\[]+\[[^\]]+\] "PROPFIND [^"]*" 40[0345]', @'^ - [^\[]+\[[^\]]+\] "PROPPATCH [^"]*" 40[0345]', @'^ - [^\[]+\[[^\]]+\] "PUT [^"]*" 40[0345]', ]