Un exemple de logs :
192.241.212.111 - - [29/Jul/2021:00:55:15 +0200] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 302 4949 "-" "Mozilla/5.0 zgrab/0.x"
Liste des ip :
# zgrep "/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application" /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "/usr/sbin/iptables -A INPUT -s " $1 " -j DROP "}' /usr/sbin/iptables -A INPUT -s 192.241.197.168 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.208.45 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.209.206 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.210.112 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.210.26 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.211.59 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.211.81 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.211.83 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.212.191 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.219.62 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.221.181 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.223.182 -j DROP /usr/sbin/iptables -A INPUT -s 192.241.223.191 -j DROP
Le nombre d’IP que j’ai blacklisté :
# cat /etc/iptables/rules.v4 | grep "DROP" | wc -l 228
Update de cette faille :
# grep « microsoft.exchange.ediscovery.exporttool.application » /var/log/apache2/access.* | sed « s/:/ /g » | awk ‘{print $2}’ | sort | uniq
192.241.198.125
192.241.205.65
192.241.208.235
192.241.209.26
# iptables -A INPUT -s 192.241.198.125 -j DROP
# iptables -A INPUT -s 192.241.205.65 -j DROP
# iptables -A INPUT -s 192.241.208.235 -j DROP
# iptables -A INPUT -s 192.241.209.26 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4
# grep « microsoft.exchange.ediscovery.exporttool.application » /var/log/apache2/access.*.log
192.241.207.72 – – [13/Dec/2021:00:04:37 +0100] « GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1 » 302 4946 « – » « Mozilla/5.0 zgrab/0.x »
192.241.214.159 – – [13/Dec/2021:03:53:19 +0100] « GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1 » 302 4946 « – » « Mozilla/5.0 zgrab/0.x »
# iptables -A INPUT -s 192.241.207.72 -j DROP
# iptables -A INPUT -s 192.241.214.159 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4