Fail2Ban 正则表达式 - NGNIX - 自定义正则表达式

Fail2Ban 正则表达式 - NGNIX - 自定义正则表达式

我正在尝试为fail2ban NGNIX 日志创建自定义日志文件以捕获特定事件。正则表达式对我来说仍然相对较新,所以我正在努力改进。这将被放入自定义过滤器中,但现在我将使用fail2ban-regex

这是日志的示例

1.1.1.1 - - [05/Feb/2021:11:19:48 +0000] "GET /images.php?id=bXlzcWwgLS11c2VyPWFuZ2VscyAtLXBhc3N3b3JkPXNjb690ZXJzCg== HTTP/1.1" 200 31 "-" "curl/7.58.0"

我真的只想匹配“bXlzcWwg”,因为它保持一致,我相信它应该看起来与此类似。

^<HOST>.*bXlzcWwg

运行测试似乎可以对条目进行罚款,但会提供错误。

sudo fail2ban-regex "^<HOST>.*bXlzcWwg" /var/log/nginx/access.log 

Running tests
=============

Use   failregex file : /var/log/nginx/access.log
Wrong config file: File contains no section headers.
file: '/var/log/nginx/access.log', line: 1
'192.168.6.254 - - [05/Feb/2021:10:54:55 +0000] "GET / HTTP/1.1" 200 241 "-" "curl/7.58.0"\n'
ERROR: failed to load filter /var/log/nginx/access.log

我知道测试支持日期格式。

须藤fail2ban-正则表达式“05/二月/2021:11:33:25 +0000”

Running tests
=============

Use   failregex line : <HOST>
Use      single line : 05/Feb/2021:11:33:25 +0000


    Results
    =======
    Failregex: 0 total
    Ignoreregex: 0 total
    Date template hits:
    |- [# of hits] date format
    |  [1] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
    `-
    Lines: 1 lines, 0 ignored, 0 matched, 1 missed
    [processed in 0.01 sec]
    |- Missed line(s):
    |  05/Feb/2021:11:33:25 +0000

答案1

sudo fail2ban-regex /var/log/nginx/access.log "^<HOST>.*bXlzcWwg"

Regex and log options were reversed..

Running tests
=============

Use   failregex line : ^<HOST>.*bXlzcWwg
Use         log file : /var/log/nginx/access.log
Use         encoding : UTF-8


Results
=======

Failregex: 268 total
|-  #) [# of hits] regular expression
|   1) [268] ^<HOST>.*bXlzcWwg
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [841] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 841 lines, 0 ignored, 268 matched, 573 missed
[processed in 0.06 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 573 lines

这篇文章可能会帮助其他人用头撞墙。

相关内容