detect, log and block vulnerability scans

[mehov]

1. use patterns to log vulnerability scans
2. block them with fail2ban

[mehov]

mod_security: https://www.youtube.com/watch?v=nVrwJEWjtSY&t=6m18s

poor man's waf:

• https://gist.github.com/VirtuBox/5fedc39c30813f5373aa8ae9328a0ec3
• https://kb.virtubox.net/knowledgebase/block-exploits-sql-injections-attacks-nginx/
• http://www.nginxer.com/records/the-configuration-of-preventing-sql-injection-attacks-in-nginx/
• https://topic.alibabacloud.com/a/nginx-to-prevent-sql-injection-attack-configuration-method_8_8_20046467.html

most of the above advice analyzes the query string, but the payload may be in the headers (e.g. referer)

read also:

• https://opendatasecurity.io/cloudflare-vulnerability-allows-waf-be-disabled/
• https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF
• https://www.netsparker.com/blog/web-security/crlf-http-header/ -https://www.netsparker.com/blog/web-security/sql-injection-vulnerability/

scanning:

• https://geekflare.com/find-sql-injection/

[mehov]

poor man's waf

map "$request_uri $http_referer $http_cookie" $suspicious {
    default 0;
    "~127\.0\.0\.1" 1;
    "~*%27" 1;
    "~*(un)?hex\(" 1;
    "~*base64_(en|de)code\(" 1;
    "~*char\(" 1;
    "~*(union(.*))?select(.*)from" 1;
    "~*union(.*)select((.*)from)?" 1;
    "~*\\\(x(5c|22))+" 1;
}