我尝试创建一个fail2ban 中的自定义监狱规则,但它永远不会被应用。
我没有找到这样的官方文档,我可能会错过一些东西。
/etc/fail2ban/filter.d/expressjs.conf
[Definition]
failregex = .* from ip <HOST>
/etc/fail2ban/jail.conf
[express-js]
enabled = true
filter = expressjs
logpath = /var/log/expressjs/slowin-killer.log
maxretry = 5
bantime = 3600
findtime = 600
/var/log/expressjs/slowin-killer.log
[20-5-2017 20:49:57] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 20:57:19] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 20:59:20] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 21:12:47] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 21:16:9] Failed to authentificate user "[email protected]" from ip 127.0.0.1
没有错误消息,但监狱似乎处于活动状态......
$ fail2ban-client status expressjs
Status for the jail: expressjs
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/expressjs/slowin-killer.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
奇怪的是,正则表达式没问题......
fail2ban-regex /var/log/expressjs/slowin-killer.log /etc/fail2ban/filter.d/expressjs.conf
Running tests
=============
Use failregex filter file : expressjs, basedir: /etc/fail2ban
Use log file : /var/log/expressjs/slowin-killer.log
Use encoding : UTF-8
Results
=======
Failregex: 27 total
|- #) [# of hits] regular expression
| 1) [27] .* from ip <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [34] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [1] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
`-
Lines: 162 lines, 0 ignored, 27 matched, 135 missed
[processed in 0.01 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 135 lines
答案1
为了使过滤器正常工作,您缺少一些需要修复的东西:
- 在你的内部
expressjs.conf你已经设置了findtime = 600这maxretry = 5意味着在 10 分钟(600 秒)的时间内你将需要有 5 次失败的尝试(正则表达式匹配)来生成自动阻止/拒绝 iptables 规则。jail.conf联机帮助页:
findtime time interval (in seconds) before the current time where failures will count towards a ban. maxretry number of failures that have to occur in the last findtime seconds to ban then IP.
查看您的日志,您在此处粘贴的日志上的第一个日志条目和最后一个日志条目之间有超过 10 分钟的时间(5 次尝试)。第一个:20:49,最后一个:21:16
您的所有日志都来自
127.0.0.1.如果您查看块jail.conf内部,[DEFAULT]您会发现ignoreip = 127.0.0.1/8默认配置。除非您更改了这一点,否则阻止本地主机地址是非常危险的,因为会破坏使用该地址进行内部通信的其他软件。您
expressjs.conf没有datepattern =设置配置,因此,fail2ban 无法猜测日志文件的哪一部分是日期。从文件中获取一些示例/etc/fail2ban/filter.d,您会发现日期正则表达式,例如datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S或datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S。这里的其他问题是您的日志日期的“第二”部分在 sec < 10 上没有尾随零(例如:21:16:9在您的最后一个日志上),这需要修复。
看看Fail2ban 官方 wiki获取示例并改进您的过滤器。你有很多事情需要解决。