Category: Security

Fail2Ban Custom filters and Testing Regex’s against existing Logs

Fail2ban is a tool that can automatically ban malicious bots trying to get into your server. Provided you set up filters and the ip address (or fqhn) is logged you can use fail2ban with any application.

Create a filter, using a regular expression (fail2ban is built with python):

In /etc/fail2ban/filter.d/my-custom-filter.conf:


[Definition]

failregex = ^www.example.com  -.* "POST \/user\/register HTTP\/1.0" 200

ignoreregex =

Now you want to test this for matches against a log file. Ensure that the log file has existing matches.

Make use of the command line tool fail2ban-regex:

fail2ban-regex /var/log/apache2/example-access.log /etc/fail2ban/filter.d/my-custom-filter.conf

You will get summary data like this:


Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/my-custom-filter.conf
Use         log file : /var/log/apache2/example-access.log


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^www.example.com  -.* "POST \/user\/register HTTP\/1.0" 200
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [23636] Day/MONTH/Year:Hour:Minute:Second
`-

Lines: 23636 lines, 0 ignored, 1 matched, 23635 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 23635 lines

Which lets you debug your filter regular expression to ensure it is matching the malicious log entries.

 

Finally, add the new filter to your jail.local by appending the following:


[my-custom-filter]
enabled  = true
filter   = my-custom-filter
action   = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath  = /var/log/apache2/example-access.log
banTime  = 864000
findtime = 1800
maxRetry = 3

You can read more about the configuration of jails in the manual

How to crack or hack (investigate vulnerabilities) of a Magento Website

It is actually rather simple to find vulnerabilities and extract information for a magento site. The developers are usually caught up in feature development instead of maintaining and securing the server. Many times the developers take on the role of system administrators and problems are only picked up after it is too late.

Finding a Target

There are a few ways to do this but the main thing is the store needs to be magento. So I advise installing Wappalyser which will tell you whether the site you are currently on is Magento.

Another way is browsing forums and q/a places for people encountering problems with magento where they actually just give the URL of the production site.

Sometimes just going to popular ecommerce stores and watching the wappalyser plugin can help isolate targets.

Sometimes people just post public gists of vulnerable sites like this list of Magento vulnerable sites or 5900 sites found to be skimming payment info

Scan the Site

There is a nice tool available which will give you info about the site, possible vulnerable extensions it has installed and all a list of locations that are not hidden from the public. This is the tool you would least expect to work but it is in fact the best tool to use. You will be surprised how many installations allow public users to view things they shouldn’t.

The tool is called Magescan.

Run it with php magescan.phar scan:all http://example.com

This will give you results like:


 Magento Information  
                       

+-----------+------------------+
| Parameter | Value            |
+-----------+------------------+
| Edition   | Community        |
| Version   | 1.9.2.1, 1.9.2.2 |
+-----------+------------------+

                     
  Installed Modules  
                     

No detectable modules were found

                       
  Catalog Information  
                       

+------------+-------+
| Type       | Count |
+------------+-------+
| Categories | 14    |
| Products   | 1146  |
+------------+-------+

           
  Patches  
           

+------------+---------+
| Name       | Status  |
+------------+---------+
| SUPEE-5344 | Unknown |
| SUPEE-5994 | Unknown |
| SUPEE-6285 | Unknown |
| SUPEE-6482 | Unknown |
| SUPEE-6788 | Unknown |
| SUPEE-7405 | Unknown |
| SUPEE-8788 | Unknown |
+------------+---------+

           
  Sitemap  
           

Sitemap is not declared in robots.txt
Sitemap is accessible: http://www.example.com/sitemap.xml

                     
  Server Technology  
                     

+--------------+-------------------------+
| Key          | Value                   |
+--------------+-------------------------+
| Server       | Apache                  |
| X-Powered-By | PHP/5.6.29-1~dotdeb+7.1 |
+--------------+-------------------------+

                          
  Unreachable Path Check  
                          

+----------------------------------------------+---------------+--------+
| Path                                         | Response Code | Status |
+----------------------------------------------+---------------+--------+
| .bzr/                                        | 404           | Pass   |
| .cvs/                                        | 404           | Pass   |
| .git/                                        | 404           | Pass   |
| .git/config                                  | 404           | Pass   |
| .git/refs/                                   | 404           | Pass   |
| .gitignore                                   | 404           | Pass   |
| .hg/                                         | 404           | Pass   |
| .idea                                        | 404           | Pass   |
| .svn/                                        | 404           | Pass   |
| .svn/entries                                 | 404           | Pass   |
| admin/                                       | 200           | Fail   |
| admin123/                                    | 404           | Pass   |
| adminer.php                                  | 404           | Pass   |
| administrator/                               | 404           | Pass   |
| adminpanel/                                  | 404           | Pass   |
| aittmp/index.php                             | 404           | Pass   |
| app/etc/enterprise.xml                       | 403           | Pass   |
| app/etc/local.xml                            | 403           | Pass   |
| backend/                                     | 404           | Pass   |
| backoffice/                                  | 404           | Pass   |
| beheer/                                      | 404           | Pass   |
| capistrano/config/deploy.rb                  | 404           | Pass   |
| chive                                        | 404           | Pass   |
| composer.json                                | 200           | Fail   |
| composer.lock                                | 404           | Pass   |
| config/deploy.rb                             | 404           | Pass   |
| control/                                     | 404           | Pass   |
| dev/tests/functional/etc/config.xml          | 200           | Fail   |
| downloader/index.php                         | 200           | Fail   |
| index.php/rss/order/NEW/new                  | 401           | Pass   |
| info.php                                     | 200           | Fail   |
| mageaudit.php                                | 404           | Pass   |
| magmi/                                       | 404           | Pass   |
| magmi/conf/magmi.ini                         | 404           | Pass   |
| magmi/web/magmi.php                          | 404           | Pass   |
| manage/                                      | 404           | Pass   |
| management/                                  | 404           | Pass   |
| manager/                                     | 404           | Pass   |
| modman                                       | 200           | Fail   |
| p.php                                        | 404           | Pass   |
| panel/                                       | 404           | Pass   |
| phpinfo.php                                  | 200           | Fail   |
| phpmyadmin                                   | 404           | Pass   |
| README.md                                    | 200           | Fail   |
| README.txt                                   | 404           | Pass   |
| shell/                                       | 403           | Pass   |
| shopadmin/                                   | 404           | Pass   |
| site_admin/                                  | 404           | Pass   |
| var/export/                                  | 403           | Pass   |
| var/export/export_all_products.csv           | 403           | Pass   |
| var/export/export_customers.csv              | 403           | Pass   |
| var/export/export_product_stocks.csv         | 403           | Pass   |
| var/log/                                     | 403           | Pass   |
| var/log/exception.log                        | 403           | Pass   |
| var/log/payment_authnetcim.log               | 403           | Pass   |
| var/log/payment_authorizenet.log             | 403           | Pass   |
| var/log/payment_authorizenet_directpost.log  | 403           | Pass   |
| var/log/payment_cybersource_soap.log         | 403           | Pass   |
| var/log/payment_ogone.log                    | 403           | Pass   |
| var/log/payment_payflow_advanced.log         | 403           | Pass   |
| var/log/payment_payflow_link.log             | 403           | Pass   |
| var/log/payment_paypal_billing_agreement.log | 403           | Pass   |
| var/log/payment_paypal_direct.log            | 403           | Pass   |
| var/log/payment_paypal_express.log           | 403           | Pass   |
| var/log/payment_paypal_standard.log          | 403           | Pass   |
| var/log/payment_paypaluk_express.log         | 403           | Pass   |
| var/log/payment_pbridge.log                  | 403           | Pass   |
| var/log/payment_verisign.log                 | 403           | Pass   |
| var/log/system.log                           | 403           | Pass   |
| var/report/                                  | 403           | Pass   |
+----------------------------------------------+---------------+--------+

So we get some pretty juicy information here. Often the Unreachable Path Check fails, give the best results.

Just go to those locations check it out you might get a nice readme.md or some db credentials.

There are also some other files you could look out for, like this Simple PHP file manager called file_manager.php. Some developers just don’t care and commit this file in the root of a magento site. So anyone accessing the file can actually delete every file on a production server.

Next Steps

The information has now been gathered the next step is up to you…