# Fail2Ban filter to block web requests on a long or suspicious nature # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b) ignoreregex = # DEV Notes: # # [sebres] Because this apache-log could contain very long URLs (and/or referrer), # the parsing of it anchored way may be very vulnerable (at least as regards # the system resources, see gh-1790). Thus rewritten without end-anchor ($). # # fgrep -r 'URI too long' httpd-2.* # httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line); # httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)", # # fgrep -r 'in request' ../httpd-2.* | fgrep Invalid # httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request); # httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request); # httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'. # httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request); # httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request); # httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request); # # fgrep -r 'invalid characters in URI' httpd-2.* # httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI"); # # http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620 # ...possible attempt to establish SSL connection on non-SSL port # # https://wiki.apache.org/httpd/ListOfErrors # Author: Tim Connors