Return to Wiki Index

! Should be customized to your needs !

[Definition]
# Dolibarr specific attack patterns

failregex = ^<HOST>.*(
    # Login-related attacks (Brute-forcing, password guessing)
    /index.php.*action=login.*|              # Login page (login attempt)
    /index.php.*login.*|                     # Generic login attempt
    /index.php.*password.*|                  # Password reset or login with parameter
    /index.php.*user.*|                      # User login attempt
    /core/ajax/authenticate.php.*|           # AJAX authentication (common for brute-force)
    
    # File upload exploits or suspicious file access
    /documents/.*/.*\.php.*|                  # Upload of PHP backdoor files in documents
    /htdocs/.*/.*\.php.*|                    # PHP file uploads in other directories
    /includes/.*/.*\.php.*|                  # Exploiting includes for arbitrary file inclusion
    /admin/.*/.*\.php.*|                     # Admin-related paths exploited for file upload
    
    # SQL Injection or malformed URL access
    /index.php.*id=.*|                       # SQL Injection attempt (id parameter abuse)
    /index.php.*action=.*|                   # Malformed action parameter (common in SQL injection attempts)
    /index.php.*page=.*|                     # page parameter exploitation (potential SQLi)
    /index.php.*lang=.*|                     # Language-based attacks via GET parameters
    /index.php.*module=.*|                   # Module-based attacks (can be exploited for SQLi)
    
    # Known RCE (Remote Code Execution) and PHP Injection
    /index.php.*exec.*|                      # Remote code execution (exec-based attack)
    /index.php.*eval.*|                      # Eval-based code injection (RCE)
    /index.php.*base64.*|                    # Base64 code injection for RCE
    /core/ajax/files.php.*|                  # File manipulation endpoint (often exploited for file upload or RCE)
    /core/ajax/action_update.php.*|          # Update script exploit (used for RCE or privilege escalation)
    /core/ajax/login_check.php.*|            # AJAX login check (exploited for brute-forcing)
    
    # Admin panel and configuration abuse
    /admin/.*/.*config.*|                    # Configuration abuse in admin path
    /admin/.*/.*settings.*|                  # Settings manipulation in admin area
    /admin/.*/.*backup.*|                    # Backup page exploited for unauthorized access
    /admin/.*/.*dump.*|                      # Data dump exploit attempts in admin area
    
    # Known vulnerable modules in Dolibarr
    /module/hook/.*/.*|                      # Hook-based exploits (common in Dolibarr modules)
    /module/.*\.php.*|                       # Generic module exploitation (can lead to RCE)
    /core/modules/.*/.*|                     # Exploiting core modules for RCE or privilege escalation
    
    # Attempt to access sensitive files or directories
    /admin/.*/.*\.sql.*|                     # SQL dump files accessed (attempting data extraction)
    /admin/.*/.*\.tar.*|                     # Archive file manipulation for unauthorized uploads
    /admin/.*/.*\.gz.*|                      # Compressed archive abuse (common for backdoor uploads)
    
    # Uncommon backdoor file names (PHP shells and eval-based scripts)
    /index.php.*backdoor.php.*|              # Backdoor file upload attempt
    /index.php.*eval.php.*|                  # Eval-based backdoor exploit
    /index.php.*base64.php.*|                # Base64 encoded PHP shell exploit
    
    # Generic attack patterns
    /core/ajax/.*\.php.*|                    # AJAX PHP exploit attempts (e.g., file upload)
    /core/modules/.*\.php.*|                 # Module PHP file access attempts
    /admin/.*/.*\.php.*|                     # PHP file execution within admin path
)

ignoreregex =

[http-dolibarr]
enabled  = true
banaction = %(banaction_allports)s
logpath  = /var/log/nginx/*.access.log
maxretry = 10
bantime  = 10m
findtime = 3d
backend = polling