我正在尝试开发一个自定义过滤器来过滤掉对我们的过滤器的一些恶意攻击/扫描,但是我被困在操作禁令无法生效的点上。
这是我的jail.local:
[my-jail]
enabled = true
filter = my-filter
action = my-action
sendmail-whois[name=Fail2Ban Test, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/apache2/frontend-app-noname-com-access.log
maxretry = 4
findtime = 60
bantime = 300
journalmatch = _SYSTEMD_UNIT=httpd.service
现在采取行动:
[Definition]
actionstart = touch /var/log/fail2ban_debug.log
actionstop = rm -f /var/log/fail2ban_debug.log
actionban = /opt/scripts/ban.sh Ban <ip>
actionunban = /opt/scripts/ban.sh Unban <ip>
并过滤:
[Definition]
failregex = ^<HOST> - - \[.*\] \".*.noname.*\" \".*\" [4-5][0-9][0-9]
当我手动运行检查过滤器时:
fail2ban-regex /var/log/apache2/frontend-app-noname-com-access.log /etc/fail2ban/filter.d/my-filter.conf
Running tests
=============
Use failregex filter file : my-filter, basedir: /etc/fail2ban
Use log file : /var/log/apache2/frontend-app-noname-com-access.log
Use encoding : UTF-8
Results
=======
Failregex: 1474 total
|- #) [# of hits] regular expression
| 1) [1474] ^<HOST> - - \[.*\] \".*.noname.*\" \".*\" [4-5][0-9][0-9]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6637] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 6637 lines, 0 ignored, 1474 matched, 5163 missed
[processed in 2.16 sec]
我没有在任何地方得到 actionban 操作。如果我手动运行命令,我会得到所需的结果,但 fail2ban 不会在任何地方启动该操作。当我重新启动服务时,我会收到来自 sendmail 的电子邮件。actionstart 也会创建文件,但是 actionban 和 actionunban 从未发生,尽管我每分钟有 100 次点击。
还记录:
2023-10-16 14:04:30,215 fail2ban.server [4436]: INFO --------------------------------------------------
2023-10-16 14:04:30,215 fail2ban.server [4436]: INFO Starting Fail2ban v0.11.2
2023-10-16 14:04:30,215 fail2ban.server [4436]: DEBUG Creating PID file /var/run/fail2ban/fail2ban.pid
2023-10-16 14:04:30,216 fail2ban.observer [4436]: INFO Observer start...
2023-10-16 14:04:30,216 fail2ban.server [4436]: DEBUG Starting communication
2023-10-16 14:04:30,218 fail2ban.database [4436]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-10-16 14:04:30,218 fail2ban.jail [4436]: INFO Creating new jail 'my-jail'
2023-10-16 14:04:30,224 fail2ban.jail [4436]: INFO Jail 'my-jail' uses systemd {}
2023-10-16 14:04:30,224 fail2ban.filter [4436]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 14:04:30,224 fail2ban.filter [4436]: DEBUG Created FilterSystemd(Jail('my-jail'))
2023-10-16 14:04:30,224 fail2ban.filtersystemd [4436]: DEBUG Created FilterSystemd
2023-10-16 14:04:30,224 fail2ban.jail [4436]: INFO Initiated 'systemd' backend
2023-10-16 14:04:30,225 fail2ban.filter [4436]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 14:04:30,225 fail2ban.server [4436]: DEBUG failregex: '^<HOST> - - \\[.*\\] \\".*.noname.*\\" \\".*\\" [4-5][0-9][0-9]'
2023-10-16 14:04:30,225 fail2ban.filtersystemd [4436]: INFO Added journal match for: '_SYSTEMD_UNIT=httpd.service'
2023-10-16 14:04:30,226 fail2ban.filter [4436]: INFO maxRetry: 4
2023-10-16 14:04:30,226 fail2ban.filter [4436]: INFO encoding: UTF-8
2023-10-16 14:04:30,226 fail2ban.filter [4436]: INFO findtime: 60
2023-10-16 14:04:30,226 fail2ban.actions [4436]: INFO banTime: 300
2023-10-16 14:04:30,226 fail2ban.CommandAction [4436]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2023-10-16 14:04:30,226 fail2ban.CommandAction [4436]: DEBUG Set actionunban = '/opt/scripts/ban.sh Unban <ip>'
2023-10-16 14:04:30,226 fail2ban.CommandAction [4436]: DEBUG Set actionstop = 'rm -f /var/log/fail2ban_debug.log'
2023-10-16 14:04:30,226 fail2ban.CommandAction [4436]: DEBUG Set actionban = '/opt/scripts/ban.sh Ban <ip>'
2023-10-16 14:04:30,226 fail2ban.CommandAction [4436]: DEBUG Set actionstart = 'touch /var/log/fail2ban_debug.log'
2023-10-16 14:04:30,226 fail2ban.CommandAction [4436]: DEBUG Set actname = 'my-action'
2023-10-16 14:04:30,226 fail2ban.CommandAction [4436]: DEBUG Set name = 'my-action'
2023-10-16 14:04:30,226 fail2ban.jail [4436]: DEBUG Starting jail 'my-jail'
2023-10-16 14:04:30,228 fail2ban.jail [4436]: INFO Jail 'my-jail' started
2023-10-16 14:04:30,229 fail2ban.transmitter [4436]: DEBUG Status: ready
2023-10-16 14:04:30,231 fail2ban.utils [4436]: DEBUG 7fb62d68f580 -- returned successfully 0
答案1
当我手动运行检查过滤器时...我没有在任何地方得到 actionban 操作。
fail2ban-regex仅测试过滤器/failregex。没有其他的。
Jail 'my-jail' uses systemd
这意味着 fail2ban 将监视 systemd 日志(可能是您的默认后端),而不是日志文件/var/log/...-access.log。如果您想要监视logpath,则需要切换到一些与文件相关的后端,例如pyinotify或或简单地为 jailpolling指定。backend = auto
还请注意,由于存在多个捕获所有错误,您的正则表达式有点脆弱。
最后但同样重要的是 - 注意fail2ban :: wiki :: 最佳实践(减少寄生日志流量)。