Hello,
One of my websites is flooded with this command:
GET /level/15/exec/-/sh/run/CR
When i google it, it seems someone is trying to use an cisco router exploit.
Anyone who allready made a fail2ban filter for this and wants to share??
think this is a good base, but need the above command in it:
https://forum.codeigniter.com/post-374241.html
Adjust fail2ban to block GET /level/15/exec/-/sh/run/CR
this seems to work:
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-login.php.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+emaildirect.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+phpstorm.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+level/15.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-admin.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+shell.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+XDEBUG.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HelloThink.+$
ignoreregex =
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-login.php.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+emaildirect.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+phpstorm.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+level/15.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-admin.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+shell.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+XDEBUG.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HelloThink.+$
ignoreregex =