Ceci est une ancienne révision du document !
Protection anti-robots par reaction
Nous utilisons reaction, une alternative efficiente à fail2ban, pour bannir temporairement les robots dont le comportement est abusif, notamment le balayage agressif des serveurs, visant à énumérer et attaquer les applications potentiellement vulnérables.
Filtres pour nginx
- reaction.jsonnet
filters: { // nginx's default combined log format: // $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" // Ban suspect HTTP requests // Those are frequent malicious requests I got from bots // Make sure you don't have honnest use cases for those requests, or your clients may be banned for 2 weeks! suspectRequests: { regex: import 'reaction/nginx_regex.jsonnet', retry: 2, retryperiod: '6h', actions: banFor('48h'), }, bruteForce: { regex: [ // POST request leading to response "403 Forbidden", // such as a failed login attempt. @'^<ip> - [^\[]+\[[^\]]+\] "POST [^"]*" 403', // Response "429 Too Many Requests" @'^<ip> - [^\[]+\[[^\]]+\] "[^"]*" 429', ], retry: 4, retryperiod: '6h', actions: banFor('6h'), }, },
- reaction/nginx_regex.jsonnet
[ // Response "400 Bad request" if query type not GET nor POST @'^<ip> - [^\[]+\[[^\]]+\] "[^PG][^"]*" 400', @'^<ip> - [^\[]+\[[^\]]+\] "[^"][^OE][^"]*" 400', @'^<ip> - [^\[]+\[[^\]]+\] "[^"]{2}[^ST][^"]*" 400', // (?:[^/" ]*/)* is a "non-capturing group" regex that allow for subpath(s) // example: /code/.env should be matched as well as /.env // ^^^^^ @'^<ip>.*"GET /(?:[^/" ]*/)*\.aws/', @'^<ip>.*"GET /(?:[^/" ]*/)*\.env ', @'^<ip>.*"GET /(?:[^/" ]*/)*\.git/config ', @'^<ip>.*"GET /(?:[^/" ]*/)*auth.html ', @'^<ip>.*"GET /(?:[^/" ]*/)*auth1.html ', @'^<ip>.*"GET /(?:[^/" ]*/)*password.txt ', @'^<ip>.*"GET /(?:[^/" ]*/)*passwords.txt ', @'^<ip>.*"GET /(?:[^/" ]*/)*dns-query ', @'^<ip>.*"GET /(?:[^/" ]*/)*info\.php[^"]*" 4[0-9][0-9]', @'^<ip>.*"GET /(?:[^/" ]*/)*phpinfo\.php[^"]*" 4[0-9][0-9]', @'^<ip>.*"GET /(?:[^/" ]*/)*wp-content/[^"]*\.php[^"]*" 4[0-9][0-9]', @'^<ip>.*"GET /(?:[^/" ]*/)*wp-login\.php[^"]*" 4[0-9][0-9]', @'^<ip>.*"GET /(?:[^/" ]*/)*wp-includes[^"]*" 4[0-9][0-9]', @'^<ip>.*"GET /(?:[^/" ]*/)*xmlrpc\.php[^"]*" 4[0-9][0-9]', @'^<ip>.*"GET /(?:[^/" ]*/)*config\.json [^"]*" 4[0-9][0-9]', // Likely scanning or recon @'^<ip>.*"GET /(?:[^/" ]*/)*\.DS_Store [^"]*" 4[0-9][0-9]', // macOS @'^<ip>.*"GET /(?:[^/" ]*/)*api/v2/hoverfly/version [^"]*" 4[0-9][0-9]', // Hoverfly @'^<ip>.*"GET /(?:[^/" ]*/)*ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application[^"]*" 4[0-9][0-9]', // Microsoft Exchange eDiscovery @'^<ip>.*"GET /json/login_session [^"]*" 4[0-9][0-9]', // HP iLO remote console @'^<ip>.*"GET /owa/auth/logon.aspx [^"]*" 4[0-9][0-9]', // Microsoft Exchange @'^<ip>.*"GET /photo/webapi/query\.[^"]*" 4[0-9][0-9]', // Synology PhotoStation API // Likely exploit attempts @'^<ip>.*"GET /(?:[^/" ]*/)*phpunit/(?:[^/" ]*/)*Util/PHP/eval-stdin.php', // CVE-2017-9841 @'^<ip>.*"GET /(?:[^/" ]*/)*autodiscover\.json[^"]*@[^"]*[Pp]ower[Ss]hell', // CVE-2022-41082 @'^<ip>.*"GET /owa/auth/x.js [^"]*" 4[0-9][0-9]', // CVE-2021-26855 @'^<ip>.*"GET /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal @'^<ip>.*"POST /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal // Unusual QUERY type (WebDav, ...) with an error response @'^<ip> - [^\[]+\[[^\]]+\] "PROPFIND [^"]*" 40[0345]', @'^<ip> - [^\[]+\[[^\]]+\] "PROPPATCH [^"]*" 40[0345]', @'^<ip> - [^\[]+\[[^\]]+\] "PUT [^"]*" 40[0345]', ]