我试图通过在 WAF IP 集中添加和删除 IP 来过滤掉对我们的 AWS 实例上的网站的恶意请求。我正在尝试设置fail2ban来帮助解决这个问题。
这些是文件 -
本地监狱
[my-jail]
enabled = true
filter = my-filter
action = my-action
sendmail-whois[name=Fail2Ban Test, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/apache2/frontend-app-my-org-com-access.log
maxretry = 4
findtime = 60
bantime = 300
journalmatch = _SYSTEMD_UNIT=httpd.service
我的行动.conf
[Definition]
actionstart = touch /var/log/fail2ban_debug.log
actionstop = rm -f /var/log/fail2ban_debug.log
actionban = /opt/scripts/ban.sh Ban <ip>
actionunban = /opt/scripts/ban.sh Unban <ip>
注意:它/opt/scripts/ban.sh是可执行的,并且通过手动测试时/opt/scripts/ban.sh Ban 10.10.10.10我得到了预期的结果。所有文件均由用户拥有和管理root。 fail2ban 服务也是通过 root 用户启动的。
我的过滤器.conf
[Definition]
failregex = ^<HOST> - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]
正则表达式检查
当我根据日志手动检查过滤器时 - 它有效:
[root@ip-172-31-89-74 action.d]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log /etc/fail2ban/filter.d/my-filter.conf | grep matched
Lines: 2325 lines, 0 ignored, 2325 matched, 0 missed
日志
2023-10-16 15:03:08,737 fail2ban.server [9162]: INFO --------------------------------------------------
2023-10-16 15:03:08,737 fail2ban.server [9162]: INFO Starting Fail2ban v0.11.2
2023-10-16 15:03:08,737 fail2ban.server [9162]: DEBUG Creating PID file /var/run/fail2ban/fail2ban.pid
2023-10-16 15:03:08,738 fail2ban.observer [9162]: INFO Observer start...
2023-10-16 15:03:08,738 fail2ban.server [9162]: DEBUG Starting communication
2023-10-16 15:03:08,742 fail2ban.database [9162]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-10-16 15:03:08,742 fail2ban.jail [9162]: INFO Creating new jail 'my-jail'
2023-10-16 15:03:08,748 fail2ban.jail [9162]: INFO Jail 'my-jail' uses systemd {}
2023-10-16 15:03:08,748 fail2ban.filter [9162]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,748 fail2ban.filter [9162]: DEBUG Created FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.filtersystemd [9162]: DEBUG Created FilterSystemd
2023-10-16 15:03:08,749 fail2ban.jail [9162]: INFO Initiated 'systemd' backend
2023-10-16 15:03:08,749 fail2ban.filter [9162]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.server [9162]: DEBUG failregex: '^<HOST> - - \\[.*\\] \\".*.my-org.*\\" \\".*\\" [4-5][0-9][0-9]'
2023-10-16 15:03:08,750 fail2ban.filtersystemd [9162]: INFO [my-jail] Added journal match for: '_SYSTEMD_UNIT=httpd.service'
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO maxRetry: 4
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO encoding: UTF-8
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO findtime: 60
2023-10-16 15:03:08,750 fail2ban.actions [9162]: INFO banTime: 300
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionunban = '/opt/scripts/ban.sh Unban <ip>'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionstop = 'rm -f /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionban = '/opt/scripts/ban.sh Ban <ip>'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionstart = 'touch /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,751 fail2ban.CommandAction [9162]: DEBUG Set actname = 'my-action'
2023-10-16 15:03:08,751 fail2ban.CommandAction [9162]: DEBUG Set name = 'my-jail'
2023-10-16 15:03:08,751 fail2ban.jail [9162]: DEBUG Starting jail 'my-jail'
2023-10-16 15:03:08,753 fail2ban.jail [9162]: INFO Jail 'my-jail' started
2023-10-16 15:03:08,754 fail2ban.transmitter [9162]: DEBUG Status: ready
2023-10-16 15:03:08,756 fail2ban.utils [9162]: DEBUG 7f36b00f7490 -- returned successfully 0
[root@ip-172-31-89-74 action.d]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-10-16 15:03:08 CEST; 35min ago
Docs: man:fail2ban(1)
Process: 8983 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 9160 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 9162 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─9162 /usr/bin/python2 -s /usr/bin/fail2ban-server -xf start
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd[1]: Starting Fail2Ban Service...
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd[1]: Started Fail2Ban Service.
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal fail2ban-server[9162]: Server ready
从特定 IP 地址在 bash 中进行测试
i=0;while true; do echo -e"\n---------------------------------$i-----------------------------\n"; curl -s -L testing.my-org.de/tests
; i=$(($i+1));
这会在监狱中的预期日志中生成行。本地
我确认 actionstart 有效,因为有一个日志文件。每当我重新启动服务时,我也会收到电子邮件。我错过了什么,或者做错了什么?
更多数据:
222.222.222.222 - - [16/Oct/2023:22:10:51 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61680 "-" "curl/7.88.1" "" "ea4uh580h9dl7tat34q2d5cjo7"
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61976 "-" "curl/7.88.1" "" "uou7bo5pj4tgp2m9t5kulkmvn2"
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 68577 "-" "curl/7.88.1" "" "m3u0g2s41fa6igphsfecrdbg41"
[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf
Running tests
=============
Use failregex filter file : my-filter, basedir: /etc/fail2ban
Use log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use encoding : UTF-8
Results
=======
Failregex: 2480 total
|- #) [# of hits] regular expression
| 1) [2480] ^<HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2480] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.17 sec]
[root@ip-172-31-89-74 apache2]# vim /etc/fail2ban/filter.d/my-filter.conf
[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf
Running tests
=============
Use failregex filter file : my-filter, basedir: /etc/fail2ban
Use log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use encoding : UTF-8
Results
=======
Failregex: 2480 total
|- #) [# of hits] regular expression
| 1) [2480] ^<HOST> - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2480] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.18 sec]
答案1
正如已经回答的那样https://superuser.com/a/1813168/1131979:
fail2ban-regex仅测试过滤器/失败正则表达式。没有其他的。Jail 'my-jail' uses systemd意味着fail2ban将监视systemd日志(可能是您的默认后端),而不是日志文件/var/log/...-access.log。如果您想要监视logpath,则需要切换到一些与文件相关的后端,例如pyinotify或或简单地为监狱polling指定。backend = auto
另请注意,由于几个包罗万象,您的正则表达式有点脆弱。
最后但并非最不重要的一点 - 注意fail2ban :: wiki :: 最佳实践(减少寄生日志流量)。