用于apache日志的fail2ban正则表达式模式
[英]fail2ban regex pattern for apache logs
问题描述
无法获得正则表达式模式以使用fail2ban。 我们的服务器受到sqlmap渗透测试的打击,我希望能够在记录这些IP时禁用它们。 从我看到的其他示例来看,似乎我不必尝试匹配日志条目的每个部分,但只能搜索单词或字符串。 似乎无法使模式正确。 任何帮助都很高兴。 谢谢
当前过滤器:
# Fail2Ban configuration file
#
# Bans any scanning with the tool sqlmap.
#
[Definition]
# Option: failregex
# Notes.: Regexp to match the use of sqlmap.
# Values: TEXT
#
failregex = <HOST> [[] client []] (sqlmap)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
示例日志条目:
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:51 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:53 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:55 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:58 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:59 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:01 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:03 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:05 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:06 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:08 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:10 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:11 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:13 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:15 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:16 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:18 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:19 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:21 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:23 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:25 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:27 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:29 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:31 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:33 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:35 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:37 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:39 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:41 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:43 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:45 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:46 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
1 个解决方案
解决方案1
2 2014-03-20 02:30:25
您需要考虑要将其归类为攻击的行为。 依赖于sqlmap User-Agent是一个坏主意,因为这可以通过命令行参数轻松更改。 它可能会保护您免受笔测试服务的影响,但不会对抗真正的攻击者。 这正是你想要避免的情况!
理想情况下,如果PHP脚本无法解析其参数或者怀疑是注入攻击,则应修改PHP脚本以记录特殊消息。 然后,您可以编写正则表达式以匹配该日志条目,并以低重试次数禁止攻击者。 否则,您只能匹配HTTP状态403(禁止)。 也可能值得研究其他HTTP错误代码。
示例日志行:
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:46 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
示例过滤器:
failregex = []] <HOST> .*HTTP/[0-9.]+" 403
这将匹配您网站上的所有HTTP 403错误。 []]匹配[www.domain.com]末尾的文字] ,因此在您的示例中HOST将为192.168.2.12 。
您可以在命令行上使用fail2ban-regex来进一步开发正则表达式以满足您的需求:
fail2ban-regex '[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:35 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"' '[]] <HOST> .*HTTP/[0-9.]+" 403'
fail2ban找到一个Apache正则表达式
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.