蚊子暴力破解fail2ban失败正则表达式

蚊子暴力破解fail2ban失败正则表达式

我正在尝试编写fail2ban过滤器来阻止暴力破解IP地址,这些地址试图通过猜测用户名/密码组合来订阅用户名/密码保护的mosquitto服务。当尝试使用不正确的详细信息进行订阅时,mosquitto 会写入两行日志,如下所示:

1544984465: New connection from 123.123.123.123 on port 1883.
1544984465: Socket error on client <unknown>, disconnecting.

我设法通过使用编写匹配这两行模式的正则表达式https://regex101.com/设置为“蟒蛇风味”。正则表达式看起来像这样:

\s(?P<date>\d+)\: New connection from (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \<unknown\>, disconnecting.

不幸的是,fail2ban 无法使用以下正则表达式在日志中找到匹配项:

# fail2ban-regex '/var/log/testlog.log' '\s(?P<date>\d+)\: New connection from (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \<unknown\>, disconnecting.'

Running tests
=============

Use   failregex line : \s(?P<date>\d+)\: New connection from (?P<host>[0-...
Use         log file : /var/log/testlog.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [13] Epoch
`-

Lines: 13 lines, 0 ignored, 0 matched, 13 missed
[processed in 0.00 sec]

|- Missed line(s):
|  1544984465: New connection from 123.123.123.123 on port 1883.
|  1544984465: Socket error on client <unknown>, disconnecting.
|  1544984466: New connection from 123.123.123.123 on port 1883.
|  1544984466: Socket error on client <unknown>, disconnecting.
|  1544984468: New connection from 123.123.123.123 on port 1883.
|  1544984468: Socket error on client <unknown>, disconnecting.
|  1544984469: New connection from 123.123.123.123 on port 1883.
|  1544984469: Socket error on client <unknown>, disconnecting.
|  1544984470: New connection from 123.123.123.123 on port 1883.
|  1544984470: Socket error on client <unknown>, disconnecting.
|  1544984471: New connection from 123.123.123.123 on port 1883.
|  1544984471: Socket error on client <unknown>, disconnecting.
|  1544984473: New connection from 123.123.123.123 on port 1883.
`-

Fail2ban版本是0.9.6-1.el6.1。运行在 Centos 6 服务器上。

答案1

好吧,我做到了。问题如下:

正则表达式(failregex、ignoreregex)假定日期/时间已从日志行中删除(这正是fail2ban 在 ATM 内部工作的方式)。来源:https://fail2ban.readthedocs.io/en/latest/filters.html

我必须添加 maxlines = 2 来过滤。

最终/工作过滤器如下所示:

[Init]
maxlines = 2

[Definition]
failregex = .+ New connection from <HOST> on port \d+\.\n.+Socket error on client <unknown>
ignoreregex = 

相关内容