即使正则表达式匹配,fail2ban 也不会处理 jail

即使正则表达式匹配,fail2ban 也不会处理 jail

我无法设置 fail2ban 来检查 nginx 错误日志中是否存在失败的 http auth 条目。尽管提供的 failregex 有效,但 fail2ban 似乎只是跳过了 jail 配置。

我已经尝试将日志级别设置为 4,但没有关于 nginx jail 的任何故障信息。我还认为日志文件中的时间戳必须与系统时间匹配,这当然已经是这种情况了。

奇怪的是,我设置的另一个 jail (ssh) 运行正常。我没有主意了,也许你有一个。希望这里有你需要的所有信息。谢谢。

fail2ban.conf

[Definition]

loglevel = 3
logtarget = /var/example/logs/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock

监狱配置文件

[DEFAULT]

ignoreip = 127.0.0.1
bantime  = 60
findtime = 600
maxretry = 3
backend  = auto

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables-allports[name=SSH, protocol=all]
logpath  = /var/log/auth.log

[nginx]

enabled = true
filter  = nginx-auth
action   = iptables-allports[name=nginx, protocol=all]
logpath = /var/example/logs/nginx-error.log

filter.d/nginx-auth.conf

[Definition]

failregex = no user/password was provided for basic authentication.*client: <HOST>
            user .* was not found in.*client: <HOST>
            user .* password mismatch.*client: <HOST>

ignoreregex = 

fail2ban-regex /var/example/logs/nginx-error.log /var/example/config/fail2ban/filter.d/nginx-auth.conf

Running tests
=============

Use regex file : /var/example/config/fail2ban/filter.d/nginx-auth.conf
Use log file   : /var/example/logs/nginx-error.log


Results
=======

Failregex
|- Regular expressions:
|  [1] no user/password was provided for basic authentication.*client: <HOST>
|  [2] user .* was not found in.*client: <HOST>
|  [3] user .* password mismatch.*client: <HOST>
|
`- Number of matches:
[1] 60 match(es)
[2] 0 match(es)
[3] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:08 2011)
192.168.153.1 (Fri Sep 02 14:08:09 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
[2]
[3]

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
240 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 60

答案1

我遇到了同样的问题——原来是时区问题。

当 syslogd/sshd 启动时,我使用的是 GMT 时间,因此 /var/log/secure 和 /var/log/messages 以 GMT 时间写入时间戳。但是,我后来将 tzdata 固定为本地时区,然后启动了 fail2ban。现在 fail2ban 感到困惑,因为所有事件都比其时间早 7 小时,因此不在“findtime”范围内。

简单的解决方案是重新启动 syslogd 和 sshd,这样它们就会选择新的时区。现在 fail2ban 可以像冠军一样阻止。

答案2

从源代码编译 fail2ban 后,它就可以正常工作了。似乎我安装的 debian 软件包apt-get fail2ban仍是一个有缺陷的开发版本。

相关内容