prestashop-hack.conf
#81
by
doekia
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Fail2Ban configuration file
# Author: (d)oekia
#
# Ban Prestashop hack attempt
#
# This is /etc/fail2ban/filter.d/prestashop-hack.conf
#
# To deploy, add the following to your /etc/fail2ban/jail.local
# -----8<---------8<---------8<-----
# [prestashop-hack]
# maxretry = 0
# enabled = true
# logpath = /var/log/apache*/*access.log
# /var/log/ispconfig/httpd/*/*-access.log
# filter = prestashop-hack
# action = iptables-allports[name=prestashop]
# findtime = 86400
# bantime = 604800
# -----8<---------8<---------8<-----
#
#
# knowndoor is the list of url reflecting a hack attemp
# knockdoor trigger when someone tries known security breach (that you should have fixed)
#
# Don't be shy protect your-self, distribute it, share your list of knowndoor & knockdoor and buy me a coffee
#
[Definition]
knowndoor = \/hous\.php|=hous\.php|up=shell|\/1attributewizardpro\/|\/attributewizardpro\.OLD\/|\/attributewizardpro_x\/|\/cartabandonmentproOld\/|\/up\.php|id_rsa|id_dsa|\.ssh|\/root\/|\.aspx|\/lindex\.php|\/bindex\.php|\.\.|eval-stdin
knockdoor = /advancedslider/|/columnadverts/|/soopabanners/|/soopamobile/|/vtermslideshow/|/simpleslideshow/|/productpageadverts/|/homepageadvertise/|/jro_homepageadvertise/|/attributewizardpro/|/advancedslider/|/cartabandonmentpro/|/videostab/|/wg24themeadministration/|/wdoptionpanel/|/fieldvmegamenu/|/pk_flexmenu/|/pk_vertflexmenu/|/nvn_export_orders/|/fieldvmegamenu/|/idx_config/
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*(?:%(knowndoor)s).* HTTP.*".*$
^<HOST> -.*"(GET|POST).*(?:%(knockdoor)s).*(upload.*\.php|ajax.*\.php|add\.php) HTTP.*" 404.*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =