我已设置 fail2ban 过滤器来扫描 error.log 消息,其格式如下:
[Sun Apr 21 12:37:02.266167 2024] [:error] [pid 26113:tid 139778838230784] [client 197.91.24.227] ModSecurity: Warning. Pattern match "/login" at REQUEST_URI. [file "/etc/modsecurity/modsecurity.conf"] [line "110"] [id "800000"] [msg "login"] [hostname "www.mysite.com"] [uri "/user/login"] [unique_id "ZiUIbn8AAQEAAGYBe@cAAADE"]
Failregex 是failregex = ^.*\[client <HOST>\] ModSecurity: Warning\. Pattern match \"\/login\".*
当使用fail2ban-regex SKerror.log mymodsecurity.confIm进行测试时
Results
=======
Failregex: 1254 total
|- #) [# of hits] regular expression
| 1) [1254] ^.*\[client <HOST>\] ModSecurity: Warning\. Pattern match \"\/login\".*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3052] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
我把这个放进我的监狱
[mymodsecurity]
enabled = true
port = http,https
filter = mymodsecurity
logpath = /var/www/*/log/*error.log
maxretry = 15
但是fail2ban不会禁止IP地址。这是因为它无法读取错误日志中的时间格式吗?或者问题出在哪里?谢谢