我正在运行 Debian Linux。uname --all显示:
Linux xxx.xx 2.6.32-5-686 #1 SMP Tue May 13 16:33:32 UTC 2014 i686 GNU/Linux
我运行sshd的端口不是 22。我已更新/etc/fail2ban/jail.local为指向新sshd端口。效果很好。我可以尝试使用 ssh 客户端登录该端口,多次输入错误的密码,然后它会通过 iptables 锁定该 IP 地址。
然而,我也在运行一个 apache 网络服务器,它总是受到这样的尝试的影响(来自/var/log/apache2/error.log):
[Sun Nov 02 08:03:13 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/muieblackcat
[Sun Nov 02 08:03:14 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpMyAdmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpmyadmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/pma
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/myadmin
[Sun Nov 02 08:03:17 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/MyAdmin
我试图设置fail2ban来读取error.log并通过iptables禁止有问题的IP地址,但我无法让它工作。
就像我说的,它对于 ssh 非常有效,但对于 apache 则不然。这是我的本地监狱:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 67.159.128.0/19
# bantime = 21600 == 6 hours
bantime = 21600
#findtime, in seconds. 300 = 5 minutes, 10800 = 3 hours
findtime = 10800
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=
%(logpath)s]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in
jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
# we are banning port xxxxx instead of ssh because I use port xxxxx instead
[ssh]
enabled = true
port = xxxxx
filter = sshd
logpath = /var/log/auth.log
findtime = 300
maxretry = 4
#
# HTTP servers
#
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 3
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 3
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 4
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 2
[apache-misc]
enabled = true
port = http,https
filter = apache-misc
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 2
这是我的 /etc/fail2ban/apache-misc 文件:
[Definition]
failregex = <HOST>.*"[A-Z]* /(cms|user|muieblackcat|db|cpcommerce|wp-login|joomla| awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin| mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*"
<HOST>.*\" (502|500|417|416|415|414|413|412|404|405|403|401|400)
ignoreregex = .*\"GET \/(press|mailto|domestic|word).*
有人可以提供任何建议吗?
答案1
我建议从正则表达式条件的一小部分开始,使用推荐的语法,如下所示......
failregex = [[]client (?P<host>\S*)[]] File does not exist: .*/(muieblackcat|phpmyadmin)
您始终可以在它的基础上进行构建,并且可以轻松测试您的正则表达式。进行更改后,不要忘记重新加载fail2ban。