===== Protection anti-robots par reaction =====
Nous utilisons [[https://blog.ppom.me/fr-reaction/|reaction]], une alternative efficiente à fail2ban, pour bannir temporairement les adresses à l'origine d'un comportement abusif.
On considère comme abusif, notamment : les requêtes envoyées à nos systèmes à un rythme trop élevé, les activités de reconnaissance de nos systèmes, les tentatives d'exploitation de vulnérabilités réelles ou supposées de nos systèmes, les requêtes malformées....
==== Filtres pour nginx ====
filters: {
// nginx's default combined log format:
// $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
// Ban suspect HTTP requests
// Those are frequent malicious requests I got from bots
// Make sure you don't have honnest use cases for those requests, or your clients may be banned for 2 weeks!
suspectRequests: {
regex: import 'reaction/nginx_regex.jsonnet',
retry: 2,
retryperiod: '6h',
actions: banFor('48h'),
},
bruteForce: {
regex: [
// POST request leading to response "403 Forbidden",
// such as a failed login attempt.
@'^ - [^\[]+\[[^\]]+\] "POST [^"]*" 403',
// Response "429 Too Many Requests"
@'^ - [^\[]+\[[^\]]+\] "[^"]*" 429',
],
retry: 4,
retryperiod: '6h',
actions: banFor('6h'),
},
},
[
// Response "400 Bad request" if query type not GET nor POST
@'^ - [^\[]+\[[^\]]+\] "[^PG][^"]*" 400',
@'^ - [^\[]+\[[^\]]+\] "[^"][^OE][^"]*" 400',
@'^ - [^\[]+\[[^\]]+\] "[^"]{2}[^ST][^"]*" 400',
// (?:[^/" ]*/)* is a "non-capturing group" regex that allow for subpath(s)
// example: /code/.env should be matched as well as /.env
// ^^^^^
@'^.*"GET /(?:[^/" ]*/)*\.aws/',
@'^.*"GET /(?:[^/" ]*/)*\.env ',
@'^.*"GET /(?:[^/" ]*/)*\.git/config ',
@'^.*"GET /(?:[^/" ]*/)*auth.html ',
@'^.*"GET /(?:[^/" ]*/)*auth1.html ',
@'^.*"GET /(?:[^/" ]*/)*password.txt ',
@'^.*"GET /(?:[^/" ]*/)*passwords.txt ',
@'^.*"GET /(?:[^/" ]*/)*dns-query ',
@'^.*"GET /(?:[^/" ]*/)*info\.php[^"]*" 4[0-9][0-9]',
@'^.*"GET /(?:[^/" ]*/)*phpinfo\.php[^"]*" 4[0-9][0-9]',
@'^.*"GET /(?:[^/" ]*/)*wp-content/[^"]*\.php[^"]*" 4[0-9][0-9]',
@'^.*"GET /(?:[^/" ]*/)*wp-login\.php[^"]*" 4[0-9][0-9]',
@'^.*"GET /(?:[^/" ]*/)*wp-includes[^"]*" 4[0-9][0-9]',
@'^.*"GET /(?:[^/" ]*/)*xmlrpc\.php[^"]*" 4[0-9][0-9]',
@'^.*"GET /(?:[^/" ]*/)*config\.json [^"]*" 4[0-9][0-9]',
// Likely scanning or recon
@'^.*"GET /(?:[^/" ]*/)*\.DS_Store [^"]*" 4[0-9][0-9]', // macOS
@'^.*"GET /(?:[^/" ]*/)*api/v2/hoverfly/version [^"]*" 4[0-9][0-9]', // Hoverfly
@'^.*"GET /(?:[^/" ]*/)*ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application[^"]*" 4[0-9][0-9]', // Microsoft Exchange eDiscovery
@'^.*"GET /json/login_session [^"]*" 4[0-9][0-9]', // HP iLO remote console
@'^.*"GET /owa/auth/logon.aspx [^"]*" 4[0-9][0-9]', // Microsoft Exchange
@'^.*"GET /photo/webapi/query\.[^"]*" 4[0-9][0-9]', // Synology PhotoStation API
// Likely exploit attempts
@'^.*"GET /(?:[^/" ]*/)*phpunit/(?:[^/" ]*/)*Util/PHP/eval-stdin.php', // CVE-2017-9841
@'^.*"GET /(?:[^/" ]*/)*autodiscover\.json[^"]*@[^"]*[Pp]ower[Ss]hell', // CVE-2022-41082
@'^.*"GET /owa/auth/x.js [^"]*" 4[0-9][0-9]', // CVE-2021-26855
@'^.*"GET /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal
@'^.*"POST /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal
// Unusual QUERY type (WebDav, ...) with an error response
@'^ - [^\[]+\[[^\]]+\] "PROPFIND [^"]*" 40[0345]',
@'^ - [^\[]+\[[^\]]+\] "PROPPATCH [^"]*" 40[0345]',
@'^ - [^\[]+\[[^\]]+\] "PUT [^"]*" 40[0345]',
]