我无法设置 fail2ban 来检查 nginx 错误日志中是否存在失败的 http auth 条目。尽管提供的 failregex 有效,但 fail2ban 似乎只是跳过了 jail 配置。
我已经尝试将日志级别设置为 4,但没有关于 nginx jail 的任何故障信息。我还认为日志文件中的时间戳必须与系统时间匹配,这当然已经是这种情况了。
奇怪的是,我设置的另一个 jail (ssh) 运行正常。我没有主意了,也许你有一个。希望这里有你需要的所有信息。谢谢。
fail2ban.conf
[Definition]
loglevel = 3
logtarget = /var/example/logs/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
监狱配置文件
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 60
findtime = 600
maxretry = 3
backend = auto
[ssh-iptables]
enabled = true
filter = sshd
action = iptables-allports[name=SSH, protocol=all]
logpath = /var/log/auth.log
[nginx]
enabled = true
filter = nginx-auth
action = iptables-allports[name=nginx, protocol=all]
logpath = /var/example/logs/nginx-error.log
filter.d/nginx-auth.conf
[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
user .* was not found in.*client: <HOST>
user .* password mismatch.*client: <HOST>
ignoreregex =
fail2ban-regex /var/example/logs/nginx-error.log /var/example/config/fail2ban/filter.d/nginx-auth.conf
Running tests
=============
Use regex file : /var/example/config/fail2ban/filter.d/nginx-auth.conf
Use log file : /var/example/logs/nginx-error.log
Results
=======
Failregex
|- Regular expressions:
| [1] no user/password was provided for basic authentication.*client: <HOST>
| [2] user .* was not found in.*client: <HOST>
| [3] user .* password mismatch.*client: <HOST>
|
`- Number of matches:
[1] 60 match(es)
[2] 0 match(es)
[3] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:54 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:55 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:56 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:57 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:58 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:07:59 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:00 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:01 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:02 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:03 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:04 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:05 2011)
192.168.153.1 (Fri Sep 02 14:08:08 2011)
192.168.153.1 (Fri Sep 02 14:08:09 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:10 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:11 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
192.168.153.1 (Fri Sep 02 14:08:12 2011)
[2]
[3]
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
240 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 60
答案1
我遇到了同样的问题——原来是时区问题。
当 syslogd/sshd 启动时,我使用的是 GMT 时间,因此 /var/log/secure 和 /var/log/messages 以 GMT 时间写入时间戳。但是,我后来将 tzdata 固定为本地时区,然后启动了 fail2ban。现在 fail2ban 感到困惑,因为所有事件都比其时间早 7 小时,因此不在“findtime”范围内。
简单的解决方案是重新启动 syslogd 和 sshd,这样它们就会选择新的时区。现在 fail2ban 可以像冠军一样阻止。
答案2
从源代码编译 fail2ban 后,它就可以正常工作了。似乎我安装的 debian 软件包apt-get fail2ban仍是一个有缺陷的开发版本。