我正在尝试编写fail2ban过滤器来阻止暴力破解IP地址,这些地址试图通过猜测用户名/密码组合来订阅用户名/密码保护的mosquitto服务。当尝试使用不正确的详细信息进行订阅时,mosquitto 会写入两行日志,如下所示:
1544984465: New connection from 123.123.123.123 on port 1883.
1544984465: Socket error on client <unknown>, disconnecting.
我设法通过使用编写匹配这两行模式的正则表达式https://regex101.com/设置为“蟒蛇风味”。正则表达式看起来像这样:
\s(?P<date>\d+)\: New connection from (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \<unknown\>, disconnecting.
不幸的是,fail2ban 无法使用以下正则表达式在日志中找到匹配项:
# fail2ban-regex '/var/log/testlog.log' '\s(?P<date>\d+)\: New connection from (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \<unknown\>, disconnecting.'
Running tests
=============
Use failregex line : \s(?P<date>\d+)\: New connection from (?P<host>[0-...
Use log file : /var/log/testlog.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [13] Epoch
`-
Lines: 13 lines, 0 ignored, 0 matched, 13 missed
[processed in 0.00 sec]
|- Missed line(s):
| 1544984465: New connection from 123.123.123.123 on port 1883.
| 1544984465: Socket error on client <unknown>, disconnecting.
| 1544984466: New connection from 123.123.123.123 on port 1883.
| 1544984466: Socket error on client <unknown>, disconnecting.
| 1544984468: New connection from 123.123.123.123 on port 1883.
| 1544984468: Socket error on client <unknown>, disconnecting.
| 1544984469: New connection from 123.123.123.123 on port 1883.
| 1544984469: Socket error on client <unknown>, disconnecting.
| 1544984470: New connection from 123.123.123.123 on port 1883.
| 1544984470: Socket error on client <unknown>, disconnecting.
| 1544984471: New connection from 123.123.123.123 on port 1883.
| 1544984471: Socket error on client <unknown>, disconnecting.
| 1544984473: New connection from 123.123.123.123 on port 1883.
`-
Fail2ban版本是0.9.6-1.el6.1。运行在 Centos 6 服务器上。
答案1
好吧,我做到了。问题如下:
正则表达式(failregex、ignoreregex)假定日期/时间已从日志行中删除(这正是fail2ban 在 ATM 内部工作的方式)。来源:https://fail2ban.readthedocs.io/en/latest/filters.html
我必须添加 maxlines = 2 来过滤。
最终/工作过滤器如下所示:
[Init]
maxlines = 2
[Definition]
failregex = .+ New connection from <HOST> on port \d+\.\n.+Socket error on client <unknown>
ignoreregex =