fail2ban 和特定的 RegEx
[英]fail2ban and specific RegEx
问题描述
I'd need help for a fail2ban filter that should match on failed login attempts within openHAB.
我需要一个 fail2ban 过滤器的帮助,它应该与 openHAB 中的失败登录尝试匹配。
06-Apr.-2021 18:49:52.726 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed: Wrong password for user UserThatFailedLogin
06-Apr.-2021 19:41:11.456 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed: User not found: UserThatFailedLogin
These are both examples for log entries for A) wrong password and B) not-existing users.这些都是 A) 错误密码和 B) 不存在用户的日志条目示例。
I've played around https://regex101.com and came up with the following RegEx (first touchpoint for me);我玩过https://regex101.com并想出了以下 RegEx(我的第一个接触点);
(\bAuthentication failed: Wrong password\b|\bAuthentication failed: User not found\b)
While it matches in the regex101-tool for above mentioned example log-entries, unfortunately I don't see any matches in fail2ban.虽然它在 regex101-tool 中匹配上述示例日志条目,但不幸的是,我在 fail2ban 中没有看到任何匹配项。
If you could help me out here, it would be highly appreciated, many thanks in advance!如果您能在这里帮助我,将不胜感激,在此先感谢您!
1 个解决方案
解决方案1
0 2021-04-09 16:43:53
What exactly do you want ban?你到底想禁止什么?
Firstly, both messages from your example do not contain any identifier to be banned - neither IP, not something else excepting the username.首先,您的示例中的两条消息均不包含任何要被禁止的标识符 - IP 和除用户名之外的其他内容。 It is possible to ban everything, but you surely won't ban username.可以禁止所有内容,但您肯定不会禁止用户名。
Then you'd need to provide a custom datepattern , it will be something like below (just I'm not sure the month token would always match (because it has here . after it).然后你需要提供一个自定义的datepattern ,它将如下所示(只是我不确定月份标记是否总是匹配(因为它在这里有. )。
So assuming we had an IP address after failed , like this:所以假设我们在failed之后有一个 IP 地址,如下所示:
06-Apr.-2021 18:49:52.726 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed from 192.0.2.1: Wrong password for user UserThatFailedLogin
06-Apr.-2021 19:41:11.456 [WARN ] [core.io.http.auth.internal.AbstractAuthPageServlet] - Authentication failed from 192.0.2.1: User not found: UserThatFailedLogin
your filter could look like here:您的过滤器可能如下所示:
[Definition]
datepattern = %%d-%%b\.-%%Y %%H:%%M:%%S\.%%f
failregex = ^\s*\[WARN\s*\] \[core.io.http.auth.internal.AbstractAuthPageServlet\] - Authentication failed from <ADDR>: (?:Wrong password for user|User not found:) <F-USER>\S+</F-USER>
But without any identifier to ban, hmmm...但是没有任何标识符可以禁止,嗯...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.