Ceci est une ancienne révision du document !
Protection anti-robots par reaction
Nous utilisons reaction, une alternative efficiente à fail2ban, pour bannir temporairement les robots dont le comportement est abusif, notamment le balayage agressif des serveurs, visant à énumérer et attaquer les applications potentiellement vulnérables.
Filtres pour nginx
filters: {
// nginx's default combined log format:
// $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
// Ban suspect HTTP requests
// Those are frequent malicious requests I got from bots
// Make sure you don't have honnest use cases for those requests, or your clients may be banned for 2 weeks!
suspectRequests: {
regex: [
// Response "400 Bad request" if query type not GET nor POST
@'^<ip> - [^\[]+\[[^\]]+\] "[^PG][^"]*" 400',
@'^<ip> - [^\[]+\[[^\]]+\] "[^"][^OE][^"]*" 400',
@'^<ip> - [^\[]+\[[^\]]+\] "[^"]{2}[^ST][^"]*" 400',
// (?:[^/" ]*/)* is a "non-capturing group" regex that allow for subpath(s)
// example: /code/.env should be matched as well as /.env
// ^^^^^
@'^<ip>.*"GET /(?:[^/" ]*/)*\.aws/',
@'^<ip>.*"GET /(?:[^/" ]*/)*\.env ',
@'^<ip>.*"GET /(?:[^/" ]*/)*\.git/config ',
@'^<ip>.*"GET /(?:[^/" ]*/)*auth.html ',
@'^<ip>.*"GET /(?:[^/" ]*/)*auth1.html ',
@'^<ip>.*"GET /(?:[^/" ]*/)*password.txt ',
@'^<ip>.*"GET /(?:[^/" ]*/)*passwords.txt ',
@'^<ip>.*"GET /(?:[^/" ]*/)*dns-query ',
@'^<ip>.*"GET /(?:[^/" ]*/)*info\.php[^"]*" 4[0-9][0-9]',
@'^<ip>.*"GET /(?:[^/" ]*/)*phpinfo\.php[^"]*" 4[0-9][0-9]',
@'^<ip>.*"GET /(?:[^/" ]*/)*wp-content/[^"]*\.php[^"]*" 4[0-9][0-9]',
@'^<ip>.*"GET /(?:[^/" ]*/)*wp-login\.php[^"]*" 4[0-9][0-9]',
@'^<ip>.*"GET /(?:[^/" ]*/)*wp-includes[^"]*" 4[0-9][0-9]',
@'^<ip>.*"GET /(?:[^/" ]*/)*xmlrpc\.php[^"]*" 4[0-9][0-9]',
@'^<ip>.*"GET /(?:[^/" ]*/)*config\.json [^"]*" 4[0-9][0-9]',
// Likely scanning or recon
@'^<ip>.*"GET /(?:[^/" ]*/)*\.DS_Store [^"]*" 4[0-9][0-9]', // macOS
@'^<ip>.*"GET /(?:[^/" ]*/)*api/v2/hoverfly/version [^"]*" 4[0-9][0-9]', // Hoverfly
@'^<ip>.*"GET /(?:[^/" ]*/)*ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application[^"]*" 4[0-9][0-9]', // Microsoft Exchange eDiscovery
@'^<ip>.*"GET /json/login_session [^"]*" 4[0-9][0-9]', // HP iLO remote console
@'^<ip>.*"GET /owa/auth/logon.aspx [^"]*" 4[0-9][0-9]', // Microsoft Exchange
@'^<ip>.*"GET /photo/webapi/query\.[^"]*" 4[0-9][0-9]', // Synology PhotoStation API
// Likely exploit attempts
@'^<ip>.*"GET /(?:[^/" ]*/)*phpunit/(?:[^/" ]*/)*Util/PHP/eval-stdin.php', // CVE-2017-9841
@'^<ip>.*"GET /(?:[^/" ]*/)*autodiscover\.json[^"]*@[^"]*[Pp]ower[Ss]hell', // CVE-2022-41082
@'^<ip>.*"GET /owa/auth/x.js [^"]*" 4[0-9][0-9]', // CVE-2021-26855
// Unusual QUERY type (WebDav, ...) with an error response
@'^<ip> - [^\[]+\[[^\]]+\] "PROPFIND [^"]*" 4[0-9][0-9]',
@'^<ip> - [^\[]+\[[^\]]+\] "PROPPATCH [^"]*" 4[0-9][0-9]',
@'^<ip> - [^\[]+\[[^\]]+\] "PUT [^"]*" 4[0-9][0-9]',
],
retry: 2,
retryperiod: '6h',
actions: banFor('48h'),
},
bruteForce: {
regex: [
// POST request leading to response "403 Forbidden",
// such as a failed login attempt.
@'^<ip> - [^\[]+\[[^\]]+\] "POST [^"]*" 403',
// Response "429 Too Many Requests"
@'^<ip> - [^\[]+\[[^\]]+\] "[^"]*" 429',
],
retry: 4,
retryperiod: '6h',
actions: banFor('6h'),
},
},