fail2ban-regex已验证我的过滤器Jan 14 07:39:41 myhost01 sshd[26433]: Connection closed by authenticating user root 127.0.0.1 port 56216 [preauth]在内部匹配 68 次auth.log,但fail2ban-client status sshd-preauth显示 0 个匹配的过滤器和操作。我可能会缺少什么?
[sshd-preauth]
enabled = true
logpath = /var/log/auth.log
backend = auto
banaction = disable-user
maxretry = 1
findtime = 1m
filter = sshd-preauth
[INCLUDES]
before = common.conf
[DEFAULT]
_daemon = sshd
__pref = (?:(?:error|fatal): (?:PAM: )?)?
__suff = (?: \[preauth\])?\s*
__on_port_opt = (?: port \d+)?(?: on \S+(?: port \d+)?)?
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
[Definition]
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$
failregex = ^Connection closed by authenticating user root (?P<ip4>(?:\d{1,3}\.){3}\d{1,3}) port \d+ \[preauth\]$
datepattern = {^LN-BEG}
[Definition]
actionstart = touch /tmp/01234
actionstop =
actioncheck =
actionban = touch /tmp/OSSEC
actionunban = touch /tmp/UNBAN
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd-preauth.conf
Running tests
Use failregex filter file : sshd-preauth, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
Failregex: 68 total
|- #) [# of hits] regular expression
| 1) [68] ^Connection closed by authenticating user root (?P<ip4>(?:\d{1,3}\.){3}\d{1,3}) port \d+ \[preauth\]$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [865] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 865 lines, 0 ignored, 68 matched, 797 missed
[processed in 0.06 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 797 lines
更新
ssh如果我从 LAN 而不是从本地主机到计算机,则会触发 Fail2ban 过滤器。所以显然fail2ban忽略了本地主机日志,即使我jail.conf也配置为检查本地主机:
jail.conf
[DEFAULT]
ignorself = false
ignoreip =
这是fail2ban 的已知限制还是有解决方法?
更新2(解决方案)
fail2ban 有两个错误。配置变量应该是ignoreself而不是ignorself。另外版本 < v0.10.3 有一个错误。随着最新的fail2ban版本的发布,它现在可以正常工作了。