[英]My Fail2Ban filter doesn't appear to be working
I'm trying to use the fail2ban-regex
command to test my filter and regex, but it doesn't seem to be having any luck. 我正在尝试使用fail2ban-regex
命令测试我的过滤器和正则表达式,但似乎没有任何运气。 I used a tutorial to demonstrate how to use the Devise gem with Rails to log failed logins. 我使用了一个教程来演示如何将Devise gem与Rails一起使用来记录失败的登录。
Here's my /etc/fail2ban/filter.d/core.conf
file: 这是我的/etc/fail2ban/filter.d/core.conf
文件:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
and then here's what I have in my /etc/fail2ban/jail.conf
file. 然后是我的/etc/fail2ban/jail.conf
文件中的内容。
[core]
enabled = true
filter = core
port = http,https
logpath = /home/rails/Documents/rails_app/devise.log
bantime = 3600
findtime = 600
maxretry = 2
And here's an example output from the devise.log
file that Rails created: 这是Rails创建的devise.log
文件的示例输出:
# Logfile created on 2018-09-26 16:19:41 -0500 by logger.rb/61378
E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for 'ekjtherkjh@gmail.com' from 172.16.38.1 at 2018-09-26T21:19:41Z
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:19Z
E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:21Z
E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:23Z
It's exactly what was used in the tutorial. 这正是本教程中使用的内容。 However, when I submitted invalid login attempts, nothing happened. 但是,当我提交无效的登录尝试时,没有任何反应。
Here's the result of my fail2ban-regex
command: 这是我的fail2ban-regex
命令的结果:
[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log "^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $"
Running tests
=============
Use failregex line : ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
Use log file : /home/rails/Documents/rails_app/devise.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [13] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 13 lines, 0 ignored, 0 matched, 13 missed
[processed in 0.02 sec]
|- Missed line(s):
| E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for 'ekjtherkjh@gmail.com' from 172.16.38.1 at 2018-09-26T21:19:41Z
| E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
| E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:19Z
| E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:21Z
| E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:23Z
| E, [2018-09-26T16:27:24.959032 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:24Z
| E, [2018-09-26T16:27:26.661292 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:26Z
| E, [2018-09-26T16:27:28.297408 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:28Z
| E, [2018-09-26T16:27:30.179503 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:30Z
| E, [2018-09-26T16:27:31.940616 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:31Z
| E, [2018-09-26T16:32:42.579173 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:42Z
| E, [2018-09-26T16:32:44.817088 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:44Z
| E, [2018-09-26T16:32:46.660918 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:46Z
Not sure why this isn't working. 不知道为什么这不起作用。 Any suggestions by chance? 有任何偶然的建议吗? I've tried to manipulate my regex, but still no luck. 我试图操纵我的正则表达式,但还是没有运气。
EDIT 编辑
It literally seems like Fail2Ban is broken or I'm just completely screwing up the Regex. 从字面上看,似乎Fail2Ban已损坏,或者我只是完全搞砸了正则表达式。 I've reduced my devise.log
file to just a single line containing an IP address, and reduced my filter down to just this: 我将devise.log
文件缩小为包含IP地址的一行,并将过滤器缩小为:
[INCLUDES]
before = common.conf
[Definition]
failregex = <HOST>
and it STILL doesn't even find the IP address: 而且它仍然找不到IP地址:
[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log core.conf
Running tests
=============
Use failregex filter file : core, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /home/rails/Documents/rails_app/devise.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]
|- Missed line(s):
| 172.16.38.1
`-
In your log you have lines that look like this: 在您的日志中,您的行看起来像这样:
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
And your regex is missing the ending with this part: 2018-09-26T21:27:17Z at the end of the lines. 而您的正则表达式缺少这部分的结尾:行尾的2018-09-26T21:27:17Z So you need to modify your regex as follows: 因此,您需要按以下方式修改正则表达式:
failregex = ^.* (\[.*\])* ERROR -- \: Failed login for '.*' from <HOST> at .*$
Here you can test your regexes. 在这里您可以测试您的正则表达式。 Just remember to replace <HOST>
with \\d+\\.\\d+\\.\\d+\\.\\d+
on regex site and then back to <HOST>
in your conf files. 只记得在正则表达式站点上用\\d+\\.\\d+\\.\\d+\\.\\d+
替换<HOST>
,然后在conf文件中返回<HOST>
。
Let me know if it helped. 让我知道是否有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.