為 fail2ban 調整 Mysql-auth.conf 過濾器給了我 Python 異常

Question

/etc/mysql/error.log 中的 TO JAIL 日志行

2022-06-23T16:19:10.452205Z 233 [Note] [MY-010926] [Server] Access denied for user 'webadmin'@'93.223.131.127' (using password: YES)

正則表達式

(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2}).?(?:\d+[A-Z]) ?(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'0.0.0.0' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$

在www.regex101.com中調整並確認工作。

匹配輸出

0-132   2022-06-23T16:19:10.452205Z 233 [Note] [MY-010926] [Server] Access denied for user 'webadmin'@'93.22...
111-132 (using password: YES)
128-131 YES

在 filter.d/mysqld-auth.conf 中嘗試過

#before = common.conf
failregex = ^%(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2}).?(?:\d+[A-Z]) ?(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^'...etc...

用 fail2ban-regex 測試給了我

Running tests
=============

Use   failregex filter file : mysqld-auth, basedir: /etc/fail2ban
Traceback (most recent call last):
  File "/usr/local/bin/fail2ban-regex", line 4, in <module>
    __import__('pkg_resources').run_script('fail2ban==0.9.4', 'fail2ban-regex')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 667, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1463, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/EGG-INFO/scripts/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/fail2banregex.py", line 596, in exec_command_line
    if not fail2banRegex.start(opts, args):
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/fail2banregex.py", line 496, in start
    if not self.readRegex(cmd_regex, 'fail'):
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/fail2banregex.py", line 288, in readRegex
    reader.getOptions(None)
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configreader.py", line 283, in getOptions
    self._opts = ConfigReader.getOptions(
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configreader.py", line 137, in getOptions
    return self._cfg.getOptions(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configreader.py", line 220, in getOptions
    v = self.get(sec, option[1])
  File "/usr/lib/python3.8/configparser.py", line 799, in get
    return self._interpolation.before_get(self, section, option, value,
  File "/usr/lib/python3.8/configparser.py", line 395, in before_get
    self._interpolate_some(parser, option, L, value, section, defaults, 1)
  File "/usr/local/lib/python3.8/dist-packages/fail2ban-0.9.4-py3.8.egg/fail2ban/client/configparserinc.py", line 58, in _interpolate_some
    return super(BasicInterpolationWithName, self)._interpolate_some(
  File "/usr/lib/python3.8/configparser.py", line 427, in _interpolate_some
    raise InterpolationSyntaxError(option, section,
configparser.InterpolationSyntaxError: bad interpolation variable reference "%(?:(?:\\d{6}|\\d{4}-\\d{2}-\\d{2})[ T]\\s?\\d{1,2}:\\d{2}:\\d{2}).?(?:\\d+[A-Z]) ?(?:\\d+ ) ?\\[\\w+\\] (?:\\[[^\\]]+\\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\\(using password: (YES|NO)\\))*\\s*$"

也在 /filter/mysqld-auth.conf 中嘗試過

before = common.conf
failregex = ^%(__prefix_line)s(?:etc...

導致運行測試=============

Use   failregex filter file : mysqld-auth, basedir: /etc/fail2ban
Use         log file : /var/log/mysql/sample.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total
|-  #) [# of hits] regular expression
|   1) [0] ^<lt_<logtype>/__prefix_line>(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2}).?(?:\d+[A-Z]) ?(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
|  [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

用fail2ban編寫這個過濾器的正確方法是什么？ #before 重要嗎？ ^%(__prefix_line)s 有何影響？ 我的嘗試是惡作劇並導致 python 出現異常，還是我的 python 安裝不正確？

使用 Ubuntu 20.04 謝謝！！！

Answer 1

您的嘗試存在許多問題：

您的第一個正則表達式以%(字符串插值表示法開頭，但它不使用任何變量，也沒有按應有的方式結束，因此您得到 Python 錯誤bad interpolation variable reference 。Python 的正確字符串插值運算符是%(...)s
您需要將0.0.0.0部分替換為<ADDR>或<HOST>標記（第一個匹配 IP 地址，后一個匹配 IP + 主機名）。 就像現在一樣，它只能匹配 0.0.0.0 （它甚至不能與 fail2ban 一起使用，這會拋出ERROR: No failure-id group ）。
從 failregex 中刪除嘗試匹配日期模式的部分。 Fail2ban 首先從每個輸入日志行中刪除日期模式，然后應用失敗正則表達式。

因此，這將符合您的要求：

^\s*(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|$using password: (YES|NO)$)*\s*$

%(__prefix_line)s用於匹配常見的行前綴，您可以在/etc/fail2ban/filter.d/common.conf中看到它的正則表達式。 它是可選的，在您的特定用例中，您可以省略它。 否則你可以使用：

^%(__prefix_line)s(?:\d+ ) ?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|$using password: (YES|NO)$)*\s*$

為 fail2ban 調整 Mysql-auth.conf 過濾器給了我 Python 異常

問題描述

1 個解決方案

解決方案1
0 已采納 2022-06-24 10:11:35

為 fail2ban 調整 Mysql-auth.conf 過濾器給了我 Python 異常

問題描述

1 個解決方案

解決方案1 0 已采納 2022-06-24 10:11:35

解決方案1
0 已采納 2022-06-24 10:11:35