该日志文件/var/log/kern.log
包含一些 IP 地址,我希望系统能够自动禁止/阻止这些地址。
基本上,一个数据包来自 UDP 协议,并且是一个短数据包,然后我希望 IPTables 通过 Fail2Ban 禁止该数据包的主机。
03-serv:~# cat /var/log/kern.log | grep ' UDP: short packet: From '
Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to x.x.x.x:27015
Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to x.x.x.x:27015
Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to x.x.x.x:27015
Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to x.x.x.x:27015
Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to x.x.x.x:27015
Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to x.x.x.x:27015
Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to x.x.x.x:27015
Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to x.x.x.x:27015
Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to x.x.x.x:27015
这是我最后的 Fail2Ban jail jail.conf
:
[ddos]
enabled = true
port = 27015
protocol = udp
filter = ddos
logpath = /var/log/kern.log
maxretry = 3
bantime = 6000
下面是我的反短 UDP 配置/etc/fail2ban/filter.d/ddos.conf
:
[Definition]
# Option: failregex
# Notes.: Auto block short UDP.
# Values: TEXT
#
failregex = ^.*kernel: UDP: short packet: From <HOST>:.*$
ignoreregex =
答案1
需要failregex
匹配完整的输出,并且可以采用完整正则表达式的形式,因此如下所示:
'^.*kernel: UDP: short packet: From <HOST>:.*$'
您可以使用 ( 来测试正则表达式文档):
fail2ban-regex -v /var/log/kern.log /etc/fail2ban/filter.d/ddos.conf
经过以下测试和验证:
cwatson@loki:~$ cat ./kern.log
Dec 19 16:05:12 03-serv kernel: UDP: short packet: From 74.60.6.213:1900 311/299 to x.x.x.x:27015
Dec 19 16:05:57 03-serv kernel: UDP: short packet: From 1.215.252.130:1900 11297/286 to x.x.x.x:27015
Dec 19 16:08:17 03-serv kernel: UDP: short packet: From 184.0.249.136:1900 363/299 to x.x.x.x:27015
Dec 19 16:09:54 03-serv kernel: UDP: short packet: From 1.214.66.49:1900 11297/310 to x.x.x.x:27015
Dec 19 16:11:28 03-serv kernel: UDP: short packet: From 1.214.214.2:1900 11297/320 to x.x.x.x:27015
Dec 19 18:00:45 03-serv kernel: UDP: short packet: From 74.60.171.197:1900 295/279 to x.x.x.x:27015
Dec 19 18:00:59 03-serv kernel: UDP: short packet: From 112.155.240.24:1900 11297/300 to x.x.x.x:27015
Dec 20 16:02:07 03-serv kernel: UDP: short packet: From 1.220.200.162:1900 11297/312 to x.x.x.x:27015
Dec 20 16:02:30 03-serv kernel: UDP: short packet: From 1.215.123.171:1900 11297/302 to x.x.x.x:27015
cwatson@loki:~$ fail2ban-regex -v ./kern.log "^.*kernel: UDP: short packet: From <HOST>:.*$"
Running tests
=============
Use failregex line : ^.*kernel: UDP: short packet: From <HOST>:.*$
Use log file : ./kern.log
Results
=======
Failregex: 9 total
|- #) [# of hits] regular expression
| 1) [9] ^.*kernel: UDP: short packet: From <HOST>:.*$
| 74.60.6.213 Fri Dec 19 16:05:12 2014
| 1.215.252.130 Fri Dec 19 16:05:57 2014
| 184.0.249.136 Fri Dec 19 16:08:17 2014
| 1.214.66.49 Fri Dec 19 16:09:54 2014
| 1.214.214.2 Fri Dec 19 16:11:28 2014
| 74.60.171.197 Fri Dec 19 18:00:45 2014
| 112.155.240.24 Fri Dec 19 18:00:59 2014
| 1.220.200.162 Sat Dec 20 16:02:07 2014
| 1.215.123.171 Sat Dec 20 16:02:30 2014
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [9] MONTH Day Hour:Minute:Second
| [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
| [0] WEEKDAY MONTH Day Hour:Minute:Second Year
| [0] WEEKDAY MONTH Day Hour:Minute:Second
| [0] Year/Month/Day Hour:Minute:Second
| [0] Day/Month/Year Hour:Minute:Second
| [0] Day/Month/Year2 Hour:Minute:Second
| [0] Day/MONTH/Year:Hour:Minute:Second
| [0] Month/Day/Year:Hour:Minute:Second
| [0] Year-Month-Day Hour:Minute:Second[,subsecond]
| [0] Year-Month-Day Hour:Minute:Second
| [0] Year.Month.Day Hour:Minute:Second
| [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
| [0] Day-Month-Year Hour:Minute:Second
| [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
| [0] TAI64N
| [0] Epoch
| [0] ISO 8601
| [0] Hour:Minute:Second
| [0] <Month/Day/Year@Hour:Minute:Second>
| [0] YearMonthDay Hour:Minute:Second
| [0] Month-Day-Year Hour:Minute:Second
`-
Lines: 9 lines, 0 ignored, 9 matched, 0 missed