修改 fail2ban failregex 以匹配通过 ssh 失败的公钥认证

Question 1

这行代码的作用是：

^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$

使用以下日志字符串进行测试：

Apr 29 12:30:12 sendai sshd[25917]: Connection closed by 127.0.0.1 [preauth]

已成功测试：

$ fail2ban-regex ~/ssh.log sshd.conf 

Running tests
=============

Use regex file : sshd.conf
Use log file   : /home/user/ssh.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [12] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Connection closed by <HOST> \[preauth\]$
|
`- Number of matches:
[...]
   [12] 1 match(es)

Summary
=======

Addresses found:
[...]
[12]
    127.0.0.1 (Wed Apr 29 12:30:12 2015)
[..]

Success, the total number of match is 1

Answer

这行代码的作用是：

^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$

使用以下日志字符串进行测试：

Apr 29 12:30:12 sendai sshd[25917]: Connection closed by 127.0.0.1 [preauth]

已成功测试：

$ fail2ban-regex ~/ssh.log sshd.conf 

Running tests
=============

Use regex file : sshd.conf
Use log file   : /home/user/ssh.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [12] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Connection closed by <HOST> \[preauth\]$
|
`- Number of matches:
[...]
   [12] 1 match(es)

Summary
=======

Addresses found:
[...]
[12]
    127.0.0.1 (Wed Apr 29 12:30:12 2015)
[..]

Success, the total number of match is 1

Question 2

无需正则表达式破解（至少自 fail2ban 0.10.4 以来）。/etc/fail2ban/jail.conf以下是信息：

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal

因此，请遵循建议/etc/fail2ban/jail.local，使用其他自定义设置以及更严格的模式之一进行创建，例如，

[sshd]
mode   = aggressive

此模式现在涵盖失败的公钥。

Answer

无需正则表达式破解（至少自 fail2ban 0.10.4 以来）。/etc/fail2ban/jail.conf以下是信息：

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal

因此，请遵循建议/etc/fail2ban/jail.local，使用其他自定义设置以及更严格的模式之一进行创建，例如，

[sshd]
mode   = aggressive

此模式现在涵盖失败的公钥。

Question 3

至少在 openssh 7.3 中，日志消息还包含端口号。所以我不得不将 sebix 的解决方案修改为以下内容：

^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$

Answer

至少在 openssh 7.3 中，日志消息还包含端口号。所以我不得不将 sebix 的解决方案修改为以下内容：

^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$

Question 4

对我来说，这种方法效果更好，因为我得到了大量合法的日志条目，至少在 OpenSSH 6.6.1 版本中与“连接已关闭”正则表达式匹配。相信它还涵盖了新的 OpenSSH 日志格式，其中包括“端口”：

^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$

$ cat /etc/*relea* | grep -i desc
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"

$ fail2ban-regex /var/log/auth.log filter.d/sshd.conf

Running tests
=============

Use   failregex file : filter.d/sshd.conf
Use         log file : /var/log/auth.log


Results
=======

Failregex: 39 total
|-  #) [# of hits] regular expression
|  12) [16] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Did not receive identification string from <HOST>\s*$
|  13) [23] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Received disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [62412] MONTH Day Hour:Minute:Second
`-

Lines: 62412 lines, 0 ignored, 39 matched, 62373 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 62373 lines

$ grep "Did not receive identification string from" /var/log/auth.log | wc -l
16
$ grep "Received disconnect from" /var/log/auth.log | grep -v x.x.x.x | wc -l
23

Answer

对我来说，这种方法效果更好，因为我得到了大量合法的日志条目，至少在 OpenSSH 6.6.1 版本中与“连接已关闭”正则表达式匹配。相信它还涵盖了新的 OpenSSH 日志格式，其中包括“端口”：

^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$

$ cat /etc/*relea* | grep -i desc
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"

$ fail2ban-regex /var/log/auth.log filter.d/sshd.conf

Running tests
=============

Use   failregex file : filter.d/sshd.conf
Use         log file : /var/log/auth.log


Results
=======

Failregex: 39 total
|-  #) [# of hits] regular expression
|  12) [16] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Did not receive identification string from <HOST>\s*$
|  13) [23] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Received disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [62412] MONTH Day Hour:Minute:Second
`-

Lines: 62412 lines, 0 ignored, 39 matched, 62373 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 62373 lines

$ grep "Did not receive identification string from" /var/log/auth.log | wc -l
16
$ grep "Received disconnect from" /var/log/auth.log | grep -v x.x.x.x | wc -l
23

修改 fail2ban failregex 以匹配通过 ssh 失败的公钥认证

答案1

答案2

答案3

答案4

相关内容