Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for 418 for dubious queries #1875

Merged
merged 4 commits into from
Jun 21, 2023
Merged

add support for 418 for dubious queries #1875

merged 4 commits into from
Jun 21, 2023

Conversation

ildyria
Copy link
Member

@ildyria ildyria commented Jun 12, 2023
edited
Loading

The goal of this is to flag queries which are just bots trying to scan for vulnerabilities.

Combined with Fail2Ban, we can now ban IP then to avoid being hit uselessly by such visitors.

read more here:
https://aureola.codes/en/blog/2021/how-stop-vulnaribility-scanners-laravel-fail2ban

/etc/fail2ban/filter.d/nginx-honeypot.conf

[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (418) .*$
ignoreregex =

/etc/fail2ban/jail.d/honeypot.conf

[nginx-honeypot]
enabled = true
filter = nginx-honeypot
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 1

Of course in the case of Apache we need to check the respective log.

As said in the article:

What you can achieve is that you get less unwanted traffic. No more and no less. Also, you may be able to prevent vulnerabilities from being found that would otherwise have been discovered.

@ildyria ildyria requested a review from a team June 12, 2023 19:25
@ildyria ildyria self-assigned this Jun 12, 2023
@ildyria ildyria added enhancement New feature or request Review: easy Easy review expected: probably just need a quick to go through. labels Jun 12, 2023
@ildyria ildyria force-pushed the ban-dubious-behaviour branch from 44c3e2f to ebd6fef Compare June 12, 2023 19:41
@ildyria ildyria added this to the 4.9.3 milestone Jun 12, 2023
@codecov
Copy link

codecov bot commented Jun 12, 2023
edited
Loading

Codecov Report

Merging #1875 (abf5c42) into master (607c763) will decrease coverage by 0.24%.
The diff coverage is 100.00%.

Additional details and impacted files

qwerty287
qwerty287 reviewed Jun 19, 2023
View reviewed changes
Copy link
Contributor

@qwerty287 qwerty287 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really like the matching system, but I don't have any other idea

app/Http/Controllers/HoneyPotController.php Outdated Show resolved Hide resolved
config/honeypot.php
'.env',
'.git/config',
'.git/HEAD',
'.well-known/security.txt',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really related: We could actually add a security.txt to Lychee to easily allow researchers to report vulns to us.

@ildyria ildyria merged commit eaf7dca into master Jun 21, 2023
@ildyria ildyria deleted the ban-dubious-behaviour branch June 21, 2023 07:31
ildyria added a commit that referenced this pull request Jun 24, 2023
@ildyria
add support for 418 for dubious queries (#1875)
74bfd66 
* add support for 418 for dubious queries
* skip if honeypot is not enabled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qwerty287 qwerty287 qwerty287 approved these changes

Assignees

@ildyria ildyria

Labels
enhancement New feature or request Review: easy Easy review expected: probably just need a quick to go through.
Projects
None yet
Milestone
4.9.3
Development

Successfully merging this pull request may close these issues.
2 participants
@ildyria @qwerty287