Forum
examples please for deniedbody
hanscees
21 February 2016, 22:42
Hi,
I am looking for examples of correct regeps for
DenyBody = <regular expression>
If the request body matches the case insensitive regular expression, return a 403 Forbidden.
Example: DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
The example above is form the manpage, but I suspect it is garbled?
I would like to block requests like these:
Is this ok:
DenyBody = ^.*phpMyAdmin.scripts.*$
or for instance:
DenyBody = ^.*phpMyAdmin\/scripts.*$
What is seen as the body exactly? Is that everything betwee GET and HTTP in the logging above??
I am looking for examples of correct regeps for
DenyBody = <regular expression>
If the request body matches the case insensitive regular expression, return a 403 Forbidden.
Example: DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
The example above is form the manpage, but I suspect it is garbled?
I would like to block requests like these:
40.115.22.29|Sat 20 Feb 2016 22:39:10 +0000|404|1025||GET /phpMyAdmin/scripts/setup.php HTTP/1.1|Accept: */*|Accept-Language: en-us|Accept-Encoding: gzip, deflate|User-Agent: ZmEu|Host: 213.127.123.127|Connection: close
Is this ok:
DenyBody = ^.*phpMyAdmin.scripts.*$
or for instance:
DenyBody = ^.*phpMyAdmin\/scripts.*$
What is seen as the body exactly? Is that everything betwee GET and HTTP in the logging above??
hanscees
21 February 2016, 23:20
I seem to be doing something wrong.
my config is:
I try this url:
https://www.hanscees.com/phpMyAdmin/scripts
and no ban?
What am I missing?
my config is:
BanOnDeniedBody = 120
KickOnBan = yes # close all connections when banned
VirtualHost {
Hostname = www.hanscees.net, *.hanscees.net
ReverseProxy !^/.well-known/ http://172.19.3.101:80/
RequireTLS = yes
TLScertFile = /etc/letsencrypt/live/www.hanscees.net/hiawatha-hc.pem
WebsiteRoot /var/www/hcs
RandomHeader = 250 # anti decryption on https listening
DenyBody = ^.*phpMyAdmin.scripts.*$
DenyBody = ^.*phpMyAdmin\/scripts.*$
DenyBody = phpMyAdmin
}
I try this url:
https://www.hanscees.com/phpMyAdmin/scripts
and no ban?
192.168.0.2|Sun 21 Feb 2016 22:15:05 +0000|404|910||GET /phpMyAdmin/scripts/setup.php HTTP/1.1|Host: www.hanscees.net|User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0|Accept: ...
What am I missing?
Hugo Leisink
22 February 2016, 08:43
The DenyBody only works on request bodies (for example the content of a POST request). What you are looking for is a way to block URL's. You should use the UrlToolkit instead.
VirtualHost {
Hostname = www.hanscees.net, *.hanscees.net
WebsiteRoot /var/www/hcs
ReverseProxy !^/.well-known/ http://172.19.3.101:80/
RequireTLS = yes
TLScertFile = /etc/letsencrypt/live/www.hanscees.net/hiawatha-hc.pem
RandomHeader = 250 # anti decryption on https listening
UseToolkit = block_pma
}
UrlToolkit {
ToolkitID = block_pma
Match ^/phpMyAdmin/.* DenyAccess
# or
Match ^/phpMyAdmin/.* Ban 3600
}
hanscees
23 February 2016, 21:00
Thanx, that works flawlessly:
192.168.0.2|Tue 23 Feb 2016 19:58:05 +0000|Client banned because of URL match in UrlToolkit rule
config is:
192.168.0.2|Tue 23 Feb 2016 19:58:05 +0000|Client banned because of URL match in UrlToolkit rule
config is:
UrlToolkit {
ToolkitID = block_pma
# Match ^/phpMyAdmin/.* DenyAccess
MatchCI phpMyAdmin/.* Ban 3600
MatchCI /Admin Ban 3600
}
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
