Backslash in logs are interpreted

[szepeviktor]

I think it is a security matter.

Log:

[Fri Aug 21 22:32:44.936923 2015] [proxy_fcgi:error] [pid 3955] [client 37.6.216.36:24341] AH01071: Got error 'PHP message: Break-in attempt detected: bad_request_banned_username </home/qwv/website/html/wp-login.php\nPHP message: HTTP REQUEST:  (a:6:{s:3:"log";s:5:"admin";s:3:"pwd";s:3:"111";s:10:"rememberme";s:7:"forever";s:9:"wp-submit";s:6:"Log In";s:11:"redirect_to";s:43:"http://www.quantumworldvision.com/wp-admin/";s:10:"testcookie";s:1:"1";}) </home/qwv/website/html/wp-login.php\n', referer: http://www.quantumworldvision.com/wp-login.php

Email:

/var/log/apache2/qwv-error.log:[Fri Aug 21 22:32:44.936923 2015] [proxy_fcgi:error] [pid 3955] [client 37.6.216.36:24341] AH01071: Got error 'PHP message: Break-in attempt detected: bad_request_banned_username </home/qwv/website/html/wp-login.php
PHP message: HTTP REQUEST:  (a:6:{s:3:"log";s:5:"admin";s:3:"pwd";s:3:"111";s:10:"rememberme";s:7:"forever";s:9:"wp-submit";s:6:"Log In";s:11:"redirect_to";s:43:"http://www.quantumworldvision.com/wp-admin/";s:10:"testcookie";s:1:"1";}) </home/qwv/website/html/wp-login.php
', referer: http://www.quantumworldvision.com/wp-login.php

Backslashes should be escaped in log lines.

[sebres]

Agree.
Because of subprocess.Popen(..., shell=True) and combined with untrusted "input", it can be a security hazard.
But I believe it's not a backslash in action, because normally, replacing a tags will escape all this characters \\#&;``|*?~<>^()[]{}$\'" within replaceTag before the action will be executed. But possible it's unescaped dual execution (execute inside another execute) or "feature" of a mail program you have used.

Which mail-action you have used here? Can you provide a config excerpt resp. better an output of fail2ban-client -d | grep <jailname> for this jail? Which OS?

[szepeviktor]

Filter WIP
https://github.com/szepeviktor/debian-server-tools/blob/master/security/fail2ban-conf/filter.d/apache-instant.local#L39-L42

Stock fail2ban action:
https://github.com/fail2ban/fail2ban/blob/master/config/action.d/sendmail-geoip-lines.conf#L39

[szepeviktor]

['add', 'apache-instant', 'pyinotify']
['set', 'apache-instant', 'bantime', 86400]
['set', 'apache-instant', 'logencoding', 'utf-8']
['set', 'apache-instant', 'addignoreip', '127.0.0.1/8']
['set', 'apache-instant', 'addignoreip', '66.249.64.0/19']
['set', 'apache-instant', 'addignoreip', '54.72.0.0/13']
['set', 'apache-instant', 'addignoreip', '54.80.0.0/12']
['set', 'apache-instant', 'addignoreip', '81.2.237.54']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/qwv-error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/tqa-error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/torok-error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/horde-error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/owncloud-ssl-error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/horde-ssl-error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/vkhu-error.log', 'head']
['set', 'apache-instant', 'addlogpath', '/var/log/apache2/prg-error.log', 'head']
['set', 'apache-instant', 'findtime', 600]
['set', 'apache-instant', 'usedns', 'no']
['set', 'apache-instant', 'ignorecommand', '']
['set', 'apache-instant', 'maxretry', 1]
['set', 'apache-instant', 'addfailregex', '^\\[\\] \\[(:?error|\\S+:\\S+)\\]( \\[pid \\d+(:\\S+ \\d+)?\\])? \\[client <HOST>(:\\d{1,5})?\\] ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \\(longer than \\d+\\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \\S+)?$']
['set', 'apache-instant', 'addfailregex', '^\\[\\] \\[(:?error|\\S+:\\S+)\\]( \\[pid \\d+(:\\S+ \\d+)?\\])? \\[client <HOST>(:\\d{1,5})?\\] (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \\S+)?\\s*$']
['set', 'apache-instant', 'addfailregex', "^\\[\\] \\[(:?error|\\S+:\\S+)\\]( \\[pid \\d+(:\\S+ \\d+)?\\])? \\[client <HOST>(:\\d{1,5})?\\] (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \\S+)?\\s*$"]
['set', 'apache-instant', 'addfailregex', '^\\[\\] \\[(:?error|\\S+:\\S+)\\]( \\[pid \\d+(:\\S+ \\d+)?\\])? \\[client <HOST>(:\\d{1,5})?\\] (FastCGI: server "/\\S*" stderr: |AH01071: Got error \')(PHP message: )?Break-in attempt detected: .*(, referer: \\S+)?\\s*$']
['set', 'apache-instant', 'addaction', 'iptables-multiport']
['set', 'apache-instant', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>']
['set', 'apache-instant', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'apache-instant', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'apache-instant', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'apache-instant', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'apache-instant', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'apache-instant', 'action', 'iptables-multiport', 'bantime', '86400']
['set', 'apache-instant', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-instant', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'apache-instant', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'apache-instant', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'apache-instant', 'action', 'iptables-multiport', 'port', 'http,https']
['set', 'apache-instant', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'apache-instant', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-instant', 'action', 'iptables-multiport', 'name', 'apache-instant']
['set', 'apache-instant', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'apache-instant', 'addaction', 'sendmail-geoip-lines']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_TIME=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'actionunban', '']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_TIME=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'actioncheck', '']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_TIME=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip>:\\n\nhttp://bgp.he.net/ip/<ip>\nhttp://www.projecthoneypot.org/ip_<ip>\nhttp://whois.domaintools.com/<ip>\\n\\n\nCountry:`geoiplookup -f /usr/share/GeoIP/GeoIP.dat "<ip>" | cut -d\':\' -f2-`\nAS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "<ip>" | cut -d\':\' -f2-`\nhostname: `host -t A <ip> 2>&1`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep -E \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'chain', 'INPUT']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'logpath', '/var/log/apache2/*error.log']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'name', 'apache-instant']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'sendername', 'Fail2Ban']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'dest', 'viktor@szepe.net']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'known/sendername', 'Fail2Ban']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'known/dest', 'root']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'sender', 'fail2ban']
['set', 'apache-instant', 'action', 'sendmail-geoip-lines', 'known/sender', 'fail2ban']
['start', 'apache-instant']

[sebres]

Yes, it's a execution inside execution.
And the output of grep -E \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath> should be definitely escaped before it will be further processed.
But it's not a security hazard as early assumed, unless sendmail has not any execution of stdin inside itself.

[szepeviktor]

I'd prefer to view the same lines in the email as in the log.

[szepeviktor]

Could a simple sed -e 's|\\|\\\\|g' help?

[sebres]

I believe this and similar other are already fixed (I cannot reproduce it anymore).
Let know if I should reopen this.

[szepeviktor]

@sebres So for example wp-login.php\nPHP message: in your log doesn't appear as

wp-login.php
PHP message:

in the email?

[sebres]

0.10? (or 0.9)

[szepeviktor]

I am not able to run 0.10 because it is not packaged for Debian
https://packages.debian.org/sid/fail2ban

[sebres]

Wiki - How to test newer fail2ban version resp. use fail2ban standalone instance

Is meant parallel to your running stock fail2ban, without installation. Just copy your customization there as described and disable banning action (or replace it with "dummy" - we've such action;) there to prevent dual bans (from test instance also)...

[szepeviktor]

Thank you.