[英]My Fail2Ban filter doesn't appear to be working
我正在嘗試使用fail2ban-regex
命令測試我的過濾器和正則表達式,但似乎沒有任何運氣。 我使用了一個教程來演示如何將Devise gem與Rails一起使用來記錄失敗的登錄。
這是我的/etc/fail2ban/filter.d/core.conf
文件:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
然后是我的/etc/fail2ban/jail.conf
文件中的內容。
[core]
enabled = true
filter = core
port = http,https
logpath = /home/rails/Documents/rails_app/devise.log
bantime = 3600
findtime = 600
maxretry = 2
這是Rails創建的devise.log
文件的示例輸出:
# Logfile created on 2018-09-26 16:19:41 -0500 by logger.rb/61378
E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for 'ekjtherkjh@gmail.com' from 172.16.38.1 at 2018-09-26T21:19:41Z
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:19Z
E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:21Z
E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:23Z
這正是本教程中使用的內容。 但是,當我提交無效的登錄嘗試時,沒有任何反應。
這是我的fail2ban-regex
命令的結果:
[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log "^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $"
Running tests
=============
Use failregex line : ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
Use log file : /home/rails/Documents/rails_app/devise.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [13] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 13 lines, 0 ignored, 0 matched, 13 missed
[processed in 0.02 sec]
|- Missed line(s):
| E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for 'ekjtherkjh@gmail.com' from 172.16.38.1 at 2018-09-26T21:19:41Z
| E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
| E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:19Z
| E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:21Z
| E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:23Z
| E, [2018-09-26T16:27:24.959032 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:24Z
| E, [2018-09-26T16:27:26.661292 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:26Z
| E, [2018-09-26T16:27:28.297408 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:28Z
| E, [2018-09-26T16:27:30.179503 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:30Z
| E, [2018-09-26T16:27:31.940616 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:31Z
| E, [2018-09-26T16:32:42.579173 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:42Z
| E, [2018-09-26T16:32:44.817088 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:44Z
| E, [2018-09-26T16:32:46.660918 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:32:46Z
不知道為什么這不起作用。 有任何偶然的建議嗎? 我試圖操縱我的正則表達式,但還是沒有運氣。
編輯
從字面上看,似乎Fail2Ban已損壞,或者我只是完全搞砸了正則表達式。 我將devise.log
文件縮小為包含IP地址的一行,並將過濾器縮小為:
[INCLUDES]
before = common.conf
[Definition]
failregex = <HOST>
而且它仍然找不到IP地址:
[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log core.conf
Running tests
=============
Use failregex filter file : core, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /home/rails/Documents/rails_app/devise.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]
|- Missed line(s):
| 172.16.38.1
`-
在您的日志中,您的行看起來像這樣:
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for 'kjelkjer@gmail.com' from 172.16.38.1 at 2018-09-26T21:27:17Z
而您的正則表達式缺少這部分的結尾:行尾的2018-09-26T21:27:17Z 因此,您需要按以下方式修改正則表達式:
failregex = ^.* (\[.*\])* ERROR -- \: Failed login for '.*' from <HOST> at .*$
在這里您可以測試您的正則表達式。 只記得在正則表達式站點上用\\d+\\.\\d+\\.\\d+\\.\\d+
替換<HOST>
,然后在conf文件中返回<HOST>
。
讓我知道是否有幫助。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.