fail2ban 日期模式正則表達式

Question

我正在嘗試在 fail2ban 中匹配此日期模式：

test.example.org 12.100.3.45 - - [14/Jun/2019:13:54:50 +0000] "GET

可以使用正則表達式測試器：

fail2ban-regex -d ^%%d/%%M/%%Y:%%H:%%M:%%S "test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4" "<HOST>"

我希望找到 ip 地址，但找不到日期模式。

Running tests
=============

Use      datepattern : {^%d/%M/%Y:%H:%M:%S}
Use   failregex line : <HOST>
Use      single line : test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4

更新：

我使用 my.conf 文件：

# fail2ban filter configuration for nginx proxy
# hk

[Definition]


failregex = ^<HOST> - [^-[ ]+.+HTTP/1.[0-9]" 401

ignoreregex =

datepattern = ^%%d/%%M/%%Y:%%H:%%M:%%S

當使用這樣的日期模式時，我在正則表達式解析器中遇到錯誤。

我理解fail2ban的工作方式是采用日期模式並將其轉換為查找日期的正則表達式。 所以日期模式無效？ 我相信正則表達式（正如肖恩在評論中指出的那樣）。

Running tests
=============

Use   failregex filter file : nginx-proxy-auth, basedir: /etc/fail2ban
Use      datepattern : ^Day/Minute/Year:24hour:Minute:Second
Use         log file : /data/docker/nginx-proxy/logs/access.log
Use         encoding : UTF-8

Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 685, in exec_command_line
    if not fail2banRegex.start(args):
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 635, in start
    self.process(test_lines)
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 458, in process
    line_datetimestripped, ret = self.testRegex(line)
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 409, in testRegex
    ret = self._filter.processLine(line, date)
  File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 526, in processLine
    (timeMatch, template) = self.dateDetector.matchTime(l)
  File "/usr/lib/python3/dist-packages/fail2ban/server/datedetector.py", line 373, in matchTime
    match = template.matchDate(line)
  File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 153, in matchDate
    self._compileRegex()
  File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 147, in _compileRegex
    raise e
  File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 144, in _compileRegex
    self._cRegex = re.compile(self.regex)
  File "/usr/lib/python3.6/re.py", line 233, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.6/re.py", line 301, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.6/sre_compile.py", line 562, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.6/sre_parse.py", line 855, in parse
    p = _parse_sub(source, pattern, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib/python3.6/sre_parse.py", line 416, in _parse_sub
    not nested and not items))
  File "/usr/lib/python3.6/sre_parse.py", line 765, in _parse
    p = _parse_sub(source, state, sub_verbose, nested + 1)
  File "/usr/lib/python3.6/sre_parse.py", line 416, in _parse_sub
    not nested and not items))
  File "/usr/lib/python3.6/sre_parse.py", line 759, in _parse
    raise source.error(err.msg, len(name) + 1) from None
sre_constants.error: redefinition of group name 'M' as group 6; was group 3 at position 107

所以這個模式試圖找到minutes而不是Months

Answer 1

在fail2ban 日期模式中， M匹配分鍾，如所示。 如果要匹配數字月份，請使用m ； 如果要匹配三個字母的縮寫，請使用b 。

您也可以將 nanos 與%f匹配，但+需要轉義。

所以日期模式無效？ 正則表達式

日期模式是一個有效的正則表達式，它只是匹配了錯誤的東西。 但是我認為你的 failregex 也太模糊了（ "<HOST>"只會匹配文字"1.2.3.4" ）。 它需要類似於".*<HOST>"或"<HOST>$"以了解在何處查找 IP。

因此，將所有這些放在一起以匹配您想要的模式，您可以使用：

fail2ban-regex -d "%d/%b/%Y:%H:%M:%S \+%f" "test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4" "^.*<HOST>"