[英]Adjusting Mysql-auth.conf filter for fail2ban gives me Python Exceptions
/etc/mysql/error.log 中的 TO JAIL 日志行
2022-06-23T16:19:10.452205Z 233 [Note] [MY-010926] [Server] Access denied for user 'webadmin'@'93.223.131.127' (using password: YES)
正則表達式
(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2}).?(?:\d+[A-Z]) ?(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'0.0.0.0' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
在www.regex101.com中調整並確認工作。
匹配輸出
0-132 2022-06-23T16:19:10.452205Z 233 [Note] [MY-010926] [Server] Access denied for user 'webadmin'@'93.22...
111-132 (using password: YES)
128-131 YES
在 filter.d/mysqld-auth.conf 中嘗試過
#before = common.conf
failregex = ^%(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2}).?(?:\d+[A-Z]) ?(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^'...etc...
用 fail2ban-regex 測試給了我
Running tests
=============
Use failregex filter file : mysqld-auth, basedir: /etc/fail2ban
Traceback (most recent call last):
File "/usr/local/bin/fail2ban-regex", line 4, in <module>
__import__('pkg_resources').run_script('fail2ban==0.9.4', 'fail2ban-regex')
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 667, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1463, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/EGG-INFO/scripts/fail2ban-regex", line 34, in <module>
exec_command_line()
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/fail2banregex.py", line 596, in exec_command_line
if not fail2banRegex.start(opts, args):
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/fail2banregex.py", line 496, in start
if not self.readRegex(cmd_regex, 'fail'):
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/fail2banregex.py", line 288, in readRegex
reader.getOptions(None)
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configreader.py", line 283, in getOptions
self._opts = ConfigReader.getOptions(
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configreader.py", line 137, in getOptions
return self._cfg.getOptions(*args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configreader.py", line 220, in getOptions
v = self.get(sec, option[1])
File "/usr/lib/python3.8/configparser.py", line 799, in get
return self._interpolation.before_get(self, section, option, value,
File "/usr/lib/python3.8/configparser.py", line 395, in before_get
self._interpolate_some(parser, option, L, value, section, defaults, 1)
File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configparserinc.py", line 58, in _interpolate_some
return super(BasicInterpolationWithName, self)._interpolate_some(
File "/usr/lib/python3.8/configparser.py", line 427, in _interpolate_some
raise InterpolationSyntaxError(option, section,
configparser.InterpolationSyntaxError: bad interpolation variable reference "%(?:(?:\\d{6}|\\d{4}-\\d{2}-\\d{2})[ T]\\s?\\d{1,2}:\\d{2}:\\d{2}).?(?:\\d+[A-Z]) ?(?:\\d+ ) ?\\[\\w+\\] (?:\\[[^\\]]+\\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\\(using password: (YES|NO)\\))*\\s*$"
也在 /filter/mysqld-auth.conf 中嘗試過
before = common.conf
failregex = ^%(__prefix_line)s(?:etc...
導致運行測試=============
Use failregex filter file : mysqld-auth, basedir: /etc/fail2ban
Use log file : /var/log/mysql/sample.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
|- #) [# of hits] regular expression
| 1) [0] ^<lt_<logtype>/__prefix_line>(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2}).?(?:\d+[A-Z]) ?(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
| [0] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]
用fail2ban編寫這個過濾器的正確方法是什么? #before 重要嗎? ^%(__prefix_line)s 有何影響? 我的嘗試是惡作劇並導致 python 出現異常,還是我的 python 安裝不正確?
使用 Ubuntu 20.04 謝謝!!!
您的嘗試存在許多問題:
您的第一個正則表達式以%(
字符串插值表示法開頭,但它不使用任何變量,也沒有按應有的方式結束,因此您得到 Python 錯誤bad interpolation variable reference
。Python 的正確字符串插值運算符是%(...)s
您需要將0.0.0.0
部分替換為<ADDR>
或<HOST>
標記(第一個匹配 IP 地址,后一個匹配 IP + 主機名)。 就像現在一樣,它只能匹配 0.0.0.0 (它甚至不能與 fail2ban 一起使用,這會拋出ERROR: No failure-id group
)。
從 failregex 中刪除嘗試匹配日期模式的部分。 Fail2ban 首先從每個輸入日志行中刪除日期模式,然后應用失敗正則表達式。
因此,這將符合您的要求:
^\s*(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
%(__prefix_line)s
用於匹配常見的行前綴,您可以在/etc/fail2ban/filter.d/common.conf中看到它的正則表達式。 它是可選的,在您的特定用例中,您可以省略它。 否則你可以使用:
^%(__prefix_line)s(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.