如何使用 fail2ban 阻止 mysql EXTRACTVALUE?

tag-icon tag-icon fail2ban
如何使用 fail2ban 阻止 mysql EXTRACTVALUE?

如何使用 fail2ban 来阻止这些?

45.154.255.147 - - [25/May/2021:08:32:40 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%27uOyt%27%3D%27uOyt HTTP/1.1" 200 11884 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
46.232.249.138 - - [25/May/2021:08:36:28 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%29%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%28%27BInS%27%20LIKE%20%27BInS HTTP/1.1" 200 10092 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
45.129.56.200 - - [25/May/2021:08:36:37 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%27htVh%27%20LIKE%20%27htVh HTTP/1.1" 200 11910 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
23.129.64.232 - - [25/May/2021:08:36:39 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%22%29%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%28%22CSNy%22%3D%22CSNy HTTP/1.1" 200 10054 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
23.129.64.232 - - [25/May/2021:08:36:45 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%22%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%22NYRo%22%3D%22NYRo HTTP/1.1" 200 10043 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"

创立于此:

sudo grep "EXTRACTVALUE"  /var/log/httpd/access.log

答案1

嗯,正则表达式可能是这样的:

^<ADDR> \S+ \S+ \[\] "GET /search\.php\?[^"]*EXTRACTVALUE[^"]*"

但不建议这样做:

  • 服务现在似乎响应 200,因此它看起来像是有效的请求(没有参数验证?);
  • 它可能会影响合法用户(意外地在查询中发送一些“邪恶”的词语);
  • 入侵者可以通过改变sql语句轻松的避开禁令(切换到其他函数、将EXTRACTVALUE拆分成两个词、切换到包含q未记录参数的POST http方法等);
  • 正确预防 SQL 注入会让这种“攻击”变得毫无意义和无用

如果确实需要,最好在服务端(例如在search.php其使用的 API 中)防止此类“攻击”,并通过验证对此类 URL 参数使用 50x 代码进行响应。然后检查 50x 代码的 fail2ban 过滤器也可以禁止它。

相关内容