daily autocommit

.etckeeper

@@ -420,6 +420,7 @@ maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/http-sqli-probing.yaml'
 maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/http-xss-probing.yaml'
 maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/jira_cve-2021-26086.yaml'
 maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/mysql-bf.yaml'
+maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/netgear_rce.yaml'
 maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/nginx-req-limit-exceeded.yaml'
 maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/pulse-secure-sslvpn-cve-2019-11510.yaml'
 maybe chmod 0644 'crowdsec/hub/scenarios/crowdsecurity/spring4shell_cve-2022-22965.yaml'

crowdsec/hub/collections/crowdsecurity/http-cve.yaml

@@ -21,6 +21,7 @@ scenarios:
   - crowdsecurity/CVE-2022-46169
   - crowdsecurity/CVE-2022-44877
   - crowdsecurity/CVE-2019-18935
+  - crowdsecurity/netgear_rce
 author: crowdsecurity
 tags:
   - web

crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml

@@ -15,6 +15,7 @@ pattern_syntax:
   SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection closed by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
   #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
   SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
+  SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method) found.'
 nodes:
   - grok:
       name: "SSHD_FAIL"
@@ -86,6 +87,12 @@ nodes:
           value: ssh_failed-auth
         - meta: target_user
           expression: "evt.Parsed.sshd_invalid_user"
+  - grok:
+      name: "SSHD_BAD_KEY_NEGOTIATION"
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: ssh_bad_keyexchange
 statics:
     - meta: service
       value: ssh

crowdsec/hub/scenarios/crowdsecurity/netgear_rce.yaml

@@ -0,0 +1,13 @@
+type: trigger
+format: 2.0
+name: crowdsecurity/netgear_rce
+description: "Detect Netgear RCE DGN1000/DGN220 exploitation attempts"
+filter: |
+  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Lower(QueryUnescape(evt.Meta.http_path)) startsWith Upper('/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=')
+groupby: "evt.Meta.source_ip"
+blackhole: 2m
+references: 
+  - "https://www.exploit-db.com/exploits/25978"
+labels:
+  type: exploit
+  remediation: true

crowdsec/scenarios/netgear_rce.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/scenarios/crowdsecurity/netgear_rce.yaml

csf/csf.deny

@@ -15,38 +15,6 @@
 # tcp/udp|in/out|s/d=port,port,...|s/d=ip
 #
 # See readme.txt for more information regarding advanced port filtering
-185.240.96.123 # lfd: (PERMBLOCK) 185.240.96.123 (PL/Poland/Warmia-Masuria/Mragowo/185-240-96-123.matcom.com.pl) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 11:16:59 2023
-89.44.137.55 # lfd: (PERMBLOCK) 89.44.137.55 (RO/Romania/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 11:17:04 2023
-37.53.72.211 # lfd: (PERMBLOCK) 37.53.72.211 (UA/Ukraine/Kyiv City/Kyiv/mail.tatneft-crimea.com.ua) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 12:14:59 2023
-152.89.47.9 # lfd: (PERMBLOCK) 152.89.47.9 (IR/Iran/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 12:20:10 2023
-159.65.171.230 # lfd: (PERMBLOCK) 159.65.171.230 (US/United States/New Jersey/Clifton/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 12:20:10 2023
-8.209.248.154 # lfd: (PERMBLOCK) 8.209.248.154 (JP/Japan/Tokyo/Tokyo/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 16:13:00 2023
-51.15.140.163 # lfd: (PERMBLOCK) 51.15.140.163 (FR/France/-/-/163-140-15-51.instances.scw.cloud) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 16:31:12 2023
-122.254.94.129 # lfd: (PERMBLOCK) 122.254.94.129 (MN/Mongolia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 18:59:55 2023
-178.128.95.119 # lfd: (PERMBLOCK) 178.128.95.119 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 19:12:26 2023
-178.128.172.9 # lfd: (PERMBLOCK) 178.128.172.9 (GB/United Kingdom/England/London/lon0.hartserver.net) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 19:30:13 2023
-80.87.33.100 # lfd: (PERMBLOCK) 80.87.33.100 (PL/Poland/Greater Poland/Poznan/netlink.net.pl) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 23:57:37 2023
-160.251.12.200 # lfd: (PERMBLOCK) 160.251.12.200 (JP/Japan/-/-/v160-251-12-200.s5lx.static.cnode.io) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 23:57:37 2023
-89.205.4.67 # lfd: (PERMBLOCK) 89.205.4.67 (MK/North Macedonia/-/Naselba Caska/89.205.4.67.robi.com.mk) has had more than 2 temp blocks in the last 86400 secs - Sat Apr  1 23:58:32 2023
-47.250.45.104 # lfd: (PERMBLOCK) 47.250.45.104 (MY/Malaysia/Kuala Lumpur/Kuala Lumpur/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 02:08:44 2023
-202.53.175.36 # lfd: (PERMBLOCK) 202.53.175.36 (BD/Bangladesh/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 04:17:22 2023
-185.18.213.199 # lfd: (PERMBLOCK) 185.18.213.199 (IR/Iran/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 04:44:29 2023
-84.38.182.237 # lfd: (PERMBLOCK) 84.38.182.237 (RU/Russia/St.-Petersburg/St Petersburg/1984890564opaafl.sutici.email) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 09:24:19 2023
-188.166.231.245 # lfd: (PERMBLOCK) 188.166.231.245 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 13:24:40 2023
-92.255.165.123 # lfd: (PERMBLOCK) 92.255.165.123 (RU/Russia/Tyumen Oblast/Tyumen/92x255x165x123.static-customer.tmn.ertelecom.ru) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 13:37:41 2023
-195.58.6.45 # lfd: (PERMBLOCK) 195.58.6.45 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 14:26:51 2023
-41.59.100.34 # lfd: (PERMBLOCK) 41.59.100.34 (TZ/Tanzania/-/-/34.100.59-41.data-dsm.ttcldata.net) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 21:21:12 2023
-77.94.113.222 # lfd: (PERMBLOCK) 77.94.113.222 (RU/Russia/Bashkortostan Republic/Ufa/h77-94-113-222.static.bashtel.ru) has had more than 2 temp blocks in the last 86400 secs - Sun Apr  2 23:31:29 2023
-194.31.55.229 # lfd: (PERMBLOCK) 194.31.55.229 (LT/Lithuania/Vilnius City Municipality/Vilnius/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 02:45:26 2023
-176.108.177.42 # lfd: (PERMBLOCK) 176.108.177.42 (RU/Russia/Oryol oblast/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 02:58:47 2023
-188.166.240.30 # lfd: (PERMBLOCK) 188.166.240.30 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 03:15:29 2023
-185.216.116.113 # lfd: (PERMBLOCK) 185.216.116.113 (HK/Hong Kong/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 03:21:10 2023
-41.78.75.44 # lfd: (PERMBLOCK) 41.78.75.44 (SO/Somalia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 05:34:57 2023
-81.0.57.187 # lfd: (PERMBLOCK) 81.0.57.187 (ES/Spain/Madrid/Madrid/static.187.57.0.81.ibercom.com) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 12:43:54 2023
-185.116.160.1 # lfd: (PERMBLOCK) 185.116.160.1 (IR/Iran/Tehran/Tehran/static.1.160.116.185.clients.irandns.com) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 14:27:08 2023
-95.106.174.126 # lfd: (PERMBLOCK) 95.106.174.126 (RU/Russia/Yaroslavl Oblast/Yaroslavl/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 16:23:38 2023
-213.27.189.252 # lfd: (PERMBLOCK) 213.27.189.252 (ES/Spain/Catalonia/Barcelona/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 17:12:27 2023
-206.189.140.37 # lfd: (PERMBLOCK) 206.189.140.37 (IN/India/Karnataka/Bengaluru/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 18:49:36 2023
 157.230.254.228 # lfd: (PERMBLOCK) 157.230.254.228 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 18:53:06 2023
 187.200.204.33 # lfd: (PERMBLOCK) 187.200.204.33 (MX/Mexico/México/Toluca/dsl-187-200-204-33-dyn.prod-infinitum.com.mx) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 18:57:41 2023
 125.143.128.117 # lfd: (PERMBLOCK) 125.143.128.117 (KR/South Korea/Seoul/Seoul/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr  3 19:17:38 2023
@@ -1014,3 +982,35 @@
 107.172.63.36 # lfd: (PERMBLOCK) 107.172.63.36 (US/United States/-/-/reference-all.ecomweight.com) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 02:20:16 2023
 143.198.147.146 # lfd: (PERMBLOCK) 143.198.147.146 (US/United States/California/Santa Clara/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 02:21:51 2023
 105.246.136.46 # lfd: (PERMBLOCK) 105.246.136.46 (ZA/South Africa/Gauteng/Johannesburg/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 07:06:03 2023
+94.105.126.6 # lfd: (PERMBLOCK) 94.105.126.6 (BE/Belgium/Antwerp Province/Antwerp/94.105.126.6.dyn.edpnet.net) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 10:36:08 2023
+154.74.133.74 # lfd: (PERMBLOCK) 154.74.133.74 (TZ/Tanzania/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 10:44:34 2023
+147.139.33.144 # lfd: (PERMBLOCK) 147.139.33.144 (IN/India/Maharashtra/Mumbai/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 10:54:10 2023
+211.75.215.176 # lfd: (PERMBLOCK) 211.75.215.176 (TW/Taiwan/Taichung City/Taichung/211-75-215-176.hinet-ip.hinet.net) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 10:56:50 2023
+186.210.213.40 # lfd: (PERMBLOCK) 186.210.213.40 (BR/Brazil/Minas Gerais/Uberaba/186-210-213-40.xd-dynamic.algarnetsuper.com.br) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 12:20:23 2023
+194.163.152.42 # lfd: (PERMBLOCK) 194.163.152.42 (DE/Germany/North Rhine-Westphalia/Düsseldorf/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 12:51:56 2023
+189.112.0.11 # lfd: (PERMBLOCK) 189.112.0.11 (BR/Brazil/-/-/189-112-000-011.static.ctbctelecom.com.br) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 13:46:41 2023
+103.181.142.68 # lfd: (PERMBLOCK) 103.181.142.68 (ID/Indonesia/-/-/ip68.142.181.103.in-addr.arpa.unknwn.cloudhost.asia) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 20:19:54 2023
+95.165.89.212 # lfd: (PERMBLOCK) 95.165.89.212 (RU/Russia/Moscow/Moscow/95-165-89-212.dynamic.spd-mgts.ru) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 20:24:39 2023
+46.114.170.141 # lfd: (PERMBLOCK) 46.114.170.141 (DE/Germany/Free and Hanseatic City of Hamburg/Hamburg/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 20:27:19 2023
+95.24.7.250 # lfd: (PERMBLOCK) 95.24.7.250 (RU/Russia/Rostov Oblast/Rostov-on-Don/95-24-7-250.broadband.corbina.ru) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 20:31:30 2023
+49.212.132.147 # lfd: (PERMBLOCK) 49.212.132.147 (JP/Japan/Kanagawa/Hiyoshi/os3-320-49643.vs.sakura.ne.jp) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 21:09:08 2023
+43.153.213.168 # lfd: (PERMBLOCK) 43.153.213.168 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 22:18:28 2023
+178.128.21.211 # lfd: (PERMBLOCK) 178.128.21.211 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 22:27:14 2023
+47.250.38.240 # lfd: (PERMBLOCK) 47.250.38.240 (MY/Malaysia/Kuala Lumpur/Kuala Lumpur/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 23:25:34 2023
+193.105.6.24 # lfd: (PERMBLOCK) 193.105.6.24 (IR/Iran/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 23:30:54 2023
+47.108.78.29 # lfd: (PERMBLOCK) 47.108.78.29 (CN/China/Sichuan/Chengdu/-) has had more than 2 temp blocks in the last 86400 secs - Tue Jun 13 23:30:55 2023
+46.101.123.135 # lfd: (PERMBLOCK) 46.101.123.135 (DE/Germany/Hesse/Frankfurt am Main/-) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 02:08:14 2023
+37.152.180.60 # lfd: (PERMBLOCK) 37.152.180.60 (IR/Iran/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 02:30:51 2023
+8.222.220.160 # lfd: (PERMBLOCK) 8.222.220.160 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 02:30:52 2023
+185.242.235.76 # lfd: (PERMBLOCK) 185.242.235.76 (HK/Hong Kong/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 05:34:36 2023
+177.23.151.50 # lfd: (PERMBLOCK) 177.23.151.50 (BR/Brazil/Rio de Janeiro/Rio de Janeiro/corporativo.gigabit-ipv4-as262896-50-151-23-177.speedwebtelecom.com) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 05:34:37 2023
+188.166.211.7 # lfd: (PERMBLOCK) 188.166.211.7 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 05:37:32 2023
+213.108.200.11 # lfd: (PERMBLOCK) 213.108.200.11 (RU/Russia/-/-/213-108-200-11.ms56.su) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 07:12:24 2023
+203.109.79.98 # lfd: (PERMBLOCK) 203.109.79.98 (IN/India/Gujarat/Surat/98-79-109-203.static.youbroadband.in) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 11:24:57 2023
+81.16.126.110 # lfd: (PERMBLOCK) 81.16.126.110 (IR/Iran/Tehran/Tehran/-) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 14 17:55:58 2023
+46.101.168.243 # lfd: (PERMBLOCK) 46.101.168.243 (DE/Germany/Hesse/Frankfurt am Main/-) has had more than 2 temp blocks in the last 86400 secs - Thu Jun 15 00:11:34 2023
+47.243.143.78 # lfd: (PERMBLOCK) 47.243.143.78 (HK/Hong Kong/Central and Western District/Central/-) has had more than 2 temp blocks in the last 86400 secs - Thu Jun 15 00:11:35 2023
+79.106.12.211 # lfd: (PERMBLOCK) 79.106.12.211 (AL/Albania/Tirana/Tirana/-) has had more than 2 temp blocks in the last 86400 secs - Thu Jun 15 03:01:18 2023
+93.219.101.120 # lfd: (PERMBLOCK) 93.219.101.120 (DE/Germany/Baden-Wurttemberg/Geislingen an der Steige/-) has had more than 2 temp blocks in the last 86400 secs - Thu Jun 15 03:10:34 2023
+fe80::18b5:110b:55f:2940 # lfd: (PERMBLOCK) fe80::18b5:110b:55f:2940 (Unknown) has had more than 2 temp blocks in the last 86400 secs - Fri Jun 16 00:40:54 2023
+fe80::45e:3b4d:3a8f:184a # lfd: (PERMBLOCK) fe80::45e:3b4d:3a8f:184a (Unknown) has had more than 2 temp blocks in the last 86400 secs - Fri Jun 16 04:44:10 2023

csf/csf.ignore

@@ -45,3 +45,4 @@
 94.68.45.238
 
 188.25.145.26
+5.12.16.177