[英]fail2ban datepattern regex
我正在嘗試在 fail2ban 中匹配此日期模式:
test.example.org 12.100.3.45 - - [14/Jun/2019:13:54:50 +0000] "GET
可以使用正則表達式測試器:
fail2ban-regex -d ^%%d/%%M/%%Y:%%H:%%M:%%S "test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4" "<HOST>"
我希望找到 ip 地址,但找不到日期模式。
Running tests
=============
Use datepattern : {^%d/%M/%Y:%H:%M:%S}
Use failregex line : <HOST>
Use single line : test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]
|- Missed line(s):
| test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4
更新:
我使用 my.conf 文件:
# fail2ban filter configuration for nginx proxy
# hk
[Definition]
failregex = ^<HOST> - [^-[ ]+.+HTTP/1.[0-9]" 401
ignoreregex =
datepattern = ^%%d/%%M/%%Y:%%H:%%M:%%S
當使用這樣的日期模式時,我在正則表達式解析器中遇到錯誤。
我理解fail2ban的工作方式是采用日期模式並將其轉換為查找日期的正則表達式。 所以日期模式無效? 我相信正則表達式(正如肖恩在評論中指出的那樣)。
Running tests
=============
Use failregex filter file : nginx-proxy-auth, basedir: /etc/fail2ban
Use datepattern : ^Day/Minute/Year:24hour:Minute:Second
Use log file : /data/docker/nginx-proxy/logs/access.log
Use encoding : UTF-8
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 34, in <module>
exec_command_line()
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 685, in exec_command_line
if not fail2banRegex.start(args):
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 635, in start
self.process(test_lines)
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 458, in process
line_datetimestripped, ret = self.testRegex(line)
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 409, in testRegex
ret = self._filter.processLine(line, date)
File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 526, in processLine
(timeMatch, template) = self.dateDetector.matchTime(l)
File "/usr/lib/python3/dist-packages/fail2ban/server/datedetector.py", line 373, in matchTime
match = template.matchDate(line)
File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 153, in matchDate
self._compileRegex()
File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 147, in _compileRegex
raise e
File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 144, in _compileRegex
self._cRegex = re.compile(self.regex)
File "/usr/lib/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib/python3.6/sre_parse.py", line 855, in parse
p = _parse_sub(source, pattern, flags & SRE_FLAG_VERBOSE, 0)
File "/usr/lib/python3.6/sre_parse.py", line 416, in _parse_sub
not nested and not items))
File "/usr/lib/python3.6/sre_parse.py", line 765, in _parse
p = _parse_sub(source, state, sub_verbose, nested + 1)
File "/usr/lib/python3.6/sre_parse.py", line 416, in _parse_sub
not nested and not items))
File "/usr/lib/python3.6/sre_parse.py", line 759, in _parse
raise source.error(err.msg, len(name) + 1) from None
sre_constants.error: redefinition of group name 'M' as group 6; was group 3 at position 107
所以這個模式試圖找到minutes
而不是Months
在fail2ban 日期模式中, M
匹配分鍾,如所示。 如果要匹配數字月份,請使用m
; 如果要匹配三個字母的縮寫,請使用b
。
您也可以將 nanos 與%f
匹配,但+
需要轉義。
所以日期模式無效? 正則表達式
日期模式是一個有效的正則表達式,它只是匹配了錯誤的東西。 但是我認為你的 failregex 也太模糊了( "<HOST>"
只會匹配文字"1.2.3.4"
)。 它需要類似於".*<HOST>"
或"<HOST>$"
以了解在何處查找 IP。
因此,將所有這些放在一起以匹配您想要的模式,您可以使用:
fail2ban-regex -d "%d/%b/%Y:%H:%M:%S \+%f" "test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4" "^.*<HOST>"
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.