myVesta

hosting panel
https://forum.myvestacp.com/

Adjust fail2ban to block GET /level/15/exec/-/sh/run/CR

https://forum.myvestacp.com/viewtopic.php?t=870

Page 1 of 1

Adjust fail2ban to block GET /level/15/exec/-/sh/run/CR

Posted: Sat Aug 05, 2023 12:34 pm
by sennevb
Hello,

One of my websites is flooded with this command:
GET /level/15/exec/-/sh/run/CR

When i google it, it seems someone is trying to use an cisco router exploit.

Anyone who allready made a fail2ban filter for this and wants to share??

think this is a good base, but need the above command in it:
https://forum.codeigniter.com/post-374241.html

Re: Adjust fail2ban to block GET /level/15/exec/-/sh/run/CR

Posted: Sat Aug 05, 2023 5:37 pm
by sennevb
having a hard time to get the regex right, fail2ban-regex always says missed :twisted:

Re: Adjust fail2ban to block GET /level/15/exec/-/sh/run/CR

Posted: Sat Aug 05, 2023 8:55 pm
by sennevb
this seems to work:
[Definition]

failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-login.php.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+emaildirect.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+phpstorm.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+level/15.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-admin.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+shell.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+XDEBUG.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HelloThink.+$
ignoreregex =
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited