我正在尝试为fail2ban NGNIX 日志创建自定义日志文件以捕获特定事件。正则表达式对我来说仍然相对较新,所以我正在努力改进。这将被放入自定义过滤器中,但现在我将使用fail2ban-regex
这是日志的示例
1.1.1.1 - - [05/Feb/2021:11:19:48 +0000] "GET /images.php?id=bXlzcWwgLS11c2VyPWFuZ2VscyAtLXBhc3N3b3JkPXNjb690ZXJzCg== HTTP/1.1" 200 31 "-" "curl/7.58.0"
我真的只想匹配“bXlzcWwg”,因为它保持一致,我相信它应该看起来与此类似。
^<HOST>.*bXlzcWwg
运行测试似乎可以对条目进行罚款,但会提供错误。
sudo fail2ban-regex "^<HOST>.*bXlzcWwg" /var/log/nginx/access.log
Running tests
=============
Use failregex file : /var/log/nginx/access.log
Wrong config file: File contains no section headers.
file: '/var/log/nginx/access.log', line: 1
'192.168.6.254 - - [05/Feb/2021:10:54:55 +0000] "GET / HTTP/1.1" 200 241 "-" "curl/7.58.0"\n'
ERROR: failed to load filter /var/log/nginx/access.log
我知道测试支持日期格式。
须藤fail2ban-正则表达式“05/二月/2021:11:33:25 +0000”
Running tests
=============
Use failregex line : <HOST>
Use single line : 05/Feb/2021:11:33:25 +0000
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]
|- Missed line(s):
| 05/Feb/2021:11:33:25 +0000
答案1
sudo fail2ban-regex /var/log/nginx/access.log "^<HOST>.*bXlzcWwg"
Regex and log options were reversed..
Running tests
=============
Use failregex line : ^<HOST>.*bXlzcWwg
Use log file : /var/log/nginx/access.log
Use encoding : UTF-8
Results
=======
Failregex: 268 total
|- #) [# of hits] regular expression
| 1) [268] ^<HOST>.*bXlzcWwg
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [841] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 841 lines, 0 ignored, 268 matched, 573 missed
[processed in 0.06 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 573 lines
这篇文章可能会帮助其他人用头撞墙。