Ceci est une ancienne révision du document !


Nous utilisons reaction, une alternative efficiente à fail2ban, pour bannir temporairement les adresses à l'origine d'un comportement abusif.

On considère comme abusif, notamment : les requêtes envoyées à nos systèmes à un rythme trop élevé, les activités de reconnaissance de nos systèmes, les tentatives d'exploitation de vulnérabilités réelles ou supposées de nos systèmes, ….

reaction.jsonnet
      filters: {
        // nginx's default combined log format:
        // $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
 
        // Ban suspect HTTP requests
        // Those are frequent malicious requests I got from bots
        // Make sure you don't have honnest use cases for those requests, or your clients may be banned for 2 weeks!
        suspectRequests: {
          regex: import 'reaction/nginx_regex.jsonnet',
          retry: 2,
          retryperiod: '6h',
          actions: banFor('48h'),
        },
        bruteForce: {
          regex: [
            // POST request leading to response "403 Forbidden",
            // such as a failed login attempt.
            @'^<ip> - [^\[]+\[[^\]]+\] "POST [^"]*" 403',
            // Response "429 Too Many Requests"
            @'^<ip> - [^\[]+\[[^\]]+\] "[^"]*" 429',
          ],
          retry: 4,
          retryperiod: '6h',
          actions: banFor('6h'),
        },
      },
reaction/nginx_regex.jsonnet
[
  // Response "400 Bad request" if query type not GET nor POST
  @'^<ip> - [^\[]+\[[^\]]+\] "[^PG][^"]*" 400',
  @'^<ip> - [^\[]+\[[^\]]+\] "[^"][^OE][^"]*" 400',
  @'^<ip> - [^\[]+\[[^\]]+\] "[^"]{2}[^ST][^"]*" 400',
  // (?:[^/" ]*/)* is a "non-capturing group" regex that allow for subpath(s)
  // example: /code/.env should be matched as well as /.env
  //           ^^^^^
  @'^<ip>.*"GET /(?:[^/" ]*/)*\.aws/',
  @'^<ip>.*"GET /(?:[^/" ]*/)*\.env ',
  @'^<ip>.*"GET /(?:[^/" ]*/)*\.git/config ',
  @'^<ip>.*"GET /(?:[^/" ]*/)*auth.html ',
  @'^<ip>.*"GET /(?:[^/" ]*/)*auth1.html ',
  @'^<ip>.*"GET /(?:[^/" ]*/)*password.txt ',
  @'^<ip>.*"GET /(?:[^/" ]*/)*passwords.txt ',
  @'^<ip>.*"GET /(?:[^/" ]*/)*dns-query ',
  @'^<ip>.*"GET /(?:[^/" ]*/)*info\.php[^"]*" 4[0-9][0-9]',
  @'^<ip>.*"GET /(?:[^/" ]*/)*phpinfo\.php[^"]*" 4[0-9][0-9]',
  @'^<ip>.*"GET /(?:[^/" ]*/)*wp-content/[^"]*\.php[^"]*" 4[0-9][0-9]',
  @'^<ip>.*"GET /(?:[^/" ]*/)*wp-login\.php[^"]*" 4[0-9][0-9]',
  @'^<ip>.*"GET /(?:[^/" ]*/)*wp-includes[^"]*" 4[0-9][0-9]',
  @'^<ip>.*"GET /(?:[^/" ]*/)*xmlrpc\.php[^"]*" 4[0-9][0-9]',
  @'^<ip>.*"GET /(?:[^/" ]*/)*config\.json [^"]*" 4[0-9][0-9]',
  // Likely scanning or recon
  @'^<ip>.*"GET /(?:[^/" ]*/)*\.DS_Store [^"]*" 4[0-9][0-9]', // macOS
  @'^<ip>.*"GET /(?:[^/" ]*/)*api/v2/hoverfly/version [^"]*" 4[0-9][0-9]', // Hoverfly
  @'^<ip>.*"GET /(?:[^/" ]*/)*ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application[^"]*" 4[0-9][0-9]', // Microsoft Exchange eDiscovery
  @'^<ip>.*"GET /json/login_session [^"]*" 4[0-9][0-9]', // HP iLO remote console
  @'^<ip>.*"GET /owa/auth/logon.aspx [^"]*" 4[0-9][0-9]', // Microsoft Exchange
  @'^<ip>.*"GET /photo/webapi/query\.[^"]*" 4[0-9][0-9]', // Synology PhotoStation API
  // Likely exploit attempts
  @'^<ip>.*"GET /(?:[^/" ]*/)*phpunit/(?:[^/" ]*/)*Util/PHP/eval-stdin.php', // CVE-2017-9841
  @'^<ip>.*"GET /(?:[^/" ]*/)*autodiscover\.json[^"]*@[^"]*[Pp]ower[Ss]hell', // CVE-2022-41082
  @'^<ip>.*"GET /owa/auth/x.js [^"]*" 4[0-9][0-9]', // CVE-2021-26855
  @'^<ip>.*"GET /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal
  @'^<ip>.*"POST /(?:[^/" ]*/)*(\.|%2e){2}(/|%2f)[^"]*" 4[0-9][0-9]', // CWE-22, https://owasp.org/www-community/attacks/Path_Traversal
  // Unusual QUERY type (WebDav, ...) with an error response
  @'^<ip> - [^\[]+\[[^\]]+\] "PROPFIND [^"]*" 40[0345]',
  @'^<ip> - [^\[]+\[[^\]]+\] "PROPPATCH [^"]*" 40[0345]',
  @'^<ip> - [^\[]+\[[^\]]+\] "PUT [^"]*" 40[0345]',
]
  • resume-technique/reaction.1760188532.txt.gz
  • Dernière modification : il y a 9 mois
  • de Daneel Olivaw