如何使用Fail2Ban自动禁止UDP短数据包？

Question

需要failregex匹配完整的输出，并且可以采用完整正则表达式的形式，因此如下所示：

'^.*kernel: UDP: short packet: From <HOST>:.*$'

您可以使用 ( 来测试正则表达式文档)：

fail2ban-regex -v /var/log/kern.log /etc/fail2ban/filter.d/ddos.conf

经过以下测试和验证：

cwatson@loki:~$ cat ./kern.log
Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to x.x.x.x:27015
Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to x.x.x.x:27015
Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to x.x.x.x:27015
Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to x.x.x.x:27015
Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to x.x.x.x:27015
Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to x.x.x.x:27015
Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to x.x.x.x:27015
Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to x.x.x.x:27015
Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to x.x.x.x:27015

cwatson@loki:~$ fail2ban-regex -v ./kern.log "^.*kernel: UDP: short packet: From <HOST>:.*$"

Running tests
=============

Use   failregex line : ^.*kernel: UDP: short packet: From <HOST>:.*$
Use         log file : ./kern.log


Results
=======

Failregex: 9 total
|-  #) [# of hits] regular expression
|   1) [9] ^.*kernel: UDP: short packet: From <HOST>:.*$
|      74.60.6.213  Fri Dec 19 16:05:12 2014
|      1.215.252.130  Fri Dec 19 16:05:57 2014
|      184.0.249.136  Fri Dec 19 16:08:17 2014
|      1.214.66.49  Fri Dec 19 16:09:54 2014
|      1.214.214.2  Fri Dec 19 16:11:28 2014
|      74.60.171.197  Fri Dec 19 18:00:45 2014
|      112.155.240.24  Fri Dec 19 18:00:59 2014
|      1.220.200.162  Sat Dec 20 16:02:07 2014
|      1.215.123.171  Sat Dec 20 16:02:30 2014
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [9] MONTH Day Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 9 lines, 0 ignored, 9 matched, 0 missed

Answer 1

需要failregex匹配完整的输出，并且可以采用完整正则表达式的形式，因此如下所示：

'^.*kernel: UDP: short packet: From <HOST>:.*$'

您可以使用 ( 来测试正则表达式文档)：

fail2ban-regex -v /var/log/kern.log /etc/fail2ban/filter.d/ddos.conf

经过以下测试和验证：

cwatson@loki:~$ cat ./kern.log
Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to x.x.x.x:27015
Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to x.x.x.x:27015
Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to x.x.x.x:27015
Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to x.x.x.x:27015
Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to x.x.x.x:27015
Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to x.x.x.x:27015
Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to x.x.x.x:27015
Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to x.x.x.x:27015
Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to x.x.x.x:27015

cwatson@loki:~$ fail2ban-regex -v ./kern.log "^.*kernel: UDP: short packet: From <HOST>:.*$"

Running tests
=============

Use   failregex line : ^.*kernel: UDP: short packet: From <HOST>:.*$
Use         log file : ./kern.log


Results
=======

Failregex: 9 total
|-  #) [# of hits] regular expression
|   1) [9] ^.*kernel: UDP: short packet: From <HOST>:.*$
|      74.60.6.213  Fri Dec 19 16:05:12 2014
|      1.215.252.130  Fri Dec 19 16:05:57 2014
|      184.0.249.136  Fri Dec 19 16:08:17 2014
|      1.214.66.49  Fri Dec 19 16:09:54 2014
|      1.214.214.2  Fri Dec 19 16:11:28 2014
|      74.60.171.197  Fri Dec 19 18:00:45 2014
|      112.155.240.24  Fri Dec 19 18:00:59 2014
|      1.220.200.162  Sat Dec 20 16:02:07 2014
|      1.215.123.171  Sat Dec 20 16:02:30 2014
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [9] MONTH Day Hour:Minute:Second
|  [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second Year
|  [0] WEEKDAY MONTH Day Hour:Minute:Second
|  [0] Year/Month/Day Hour:Minute:Second
|  [0] Day/Month/Year Hour:Minute:Second
|  [0] Day/Month/Year2 Hour:Minute:Second
|  [0] Day/MONTH/Year:Hour:Minute:Second
|  [0] Month/Day/Year:Hour:Minute:Second
|  [0] Year-Month-Day Hour:Minute:Second[,subsecond]
|  [0] Year-Month-Day Hour:Minute:Second
|  [0] Year.Month.Day Hour:Minute:Second
|  [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
|  [0] Day-Month-Year Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
|  [0] TAI64N
|  [0] Epoch
|  [0] ISO 8601
|  [0] Hour:Minute:Second
|  [0] <Month/Day/Year@Hour:Minute:Second>
|  [0] YearMonthDay Hour:Minute:Second
|  [0] Month-Day-Year Hour:Minute:Second
`-

Lines: 9 lines, 0 ignored, 9 matched, 0 missed

如何使用Fail2Ban自动禁止UDP短数据包？

答案1

相关内容