[email protected]
[Top] [All Lists]

Bug#366112: marked as forwarded (fail2ban: apache attacks xmlrpc)

Subject: Bug#366112: marked as forwarded fail2ban: apache attacks xmlrpc
From: Debian Bug Tracking System
Date: Tue, 09 May 2006 09:19:44 -0700
Your message dated Tue, 9 May 2006 12:03:12 -0400
with message-id <[email protected]>
has caused the Debian Bug report #366112,
regarding fail2ban: apache attacks xmlrpc
to be marked as having been forwarded to the upstream software
author(s) tech <[email protected]>, [email protected]

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Subject: Re: Bug#366112: fail2ban: apache attacks xmlrpc
From: Yaroslav Halchenko
Date: Tue, 9 May 2006 12:03:12 -0400
Hi Cyril,

Following this bug report:
I've decided to add this feature request to your list ;-)

Now maxfailures doesn't distinguish between different attack attempts,
so there is no difference if there is 5 unsuccessful attempts for the
same account (can be simply due to bad gray brain cells of the users),
or there is a sweep of 5 different tested login names.

Even more relevant: if there is an attack on apache trying to
exploid known vulnerability, they blindly go through various URLs which
could be present on the server. So pretty much as with different login
names during SSH attack. A single url from within this set can be valid
on its own, thus we should not ban the IP if it has multiple accesses to
the same "valid" URL.

Do you think it would make sense to add "maxdifffailures" which would
spot for the scanning attempts. It would be useful for ssh as well, so
we could raise maxfailures up to 10 to allow users with bad memory
finally get to their password, but have maxdifffailures around 4, so if
there is a sweep of attempts (different login names, different known
"weak" urls, etc), then it gets baned sooner. Can be quite easily
implemented by adding a named group in current regexps (named as
"target"), and keeping a list of hit targets for every detected attacker
IP. As soon as list gets longer than maxdifffailures - ban it.

Please let me know what you think!
I think I can implement it in the current version (as soon as I get to
fail2ban :-) -- I have a backlog of things to do on it already, I know

On Fri, 05 May 2006, Yaroslav Halchenko wrote:

> I doubt that this wishlist should be addressed due

> 1. fail2ban works at the moment independently on each log line, thus it
> is impossible to discriminate between multiple occasions of a single
> line (which could be totally "legal") or different multiple matches.

> 2. xmlrpc vulnerability was fixed and there are multiple softwares
> using it, and we don't want to block hosts which would access xmlrpc.php
> for a good reason ;-)

> thus at the moment I don't see this rule implemented.

> but I would suggest to rephrase this wishlist may be as a new feature
> request to have multiple separate regexps, and ban
> if a given IP scans through the list, trying to sense present vulnerable
> software. If you agree that it might be useful -- I would forward this
> wishlist upstream. If you think that the issue is minor - I would like
> to close the bug with "wontfix"
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     ([email protected]|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]

--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#366112: marked as forwarded (fail2ban: apache attacks xmlrpc), Debian Bug Tracking System <=