我遇到过这样一种情况,一些来自摩尔多瓦的 IP 每天都会尝试通过某种暴力攻击来发现我的基本身份验证凭据。
但是我有一个 fail2ban 规则,可以避免这种情况。当我尝试使用 VPN 时,它就起作用了。
三次尝试后触发 fail2ban 的请求示例。我的请求
2016/07/14 15:10:54 [error] 13937#0: *55700 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 146.185.31.214, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt"
问题是,来自黑客 IP 的请求不会触发 fail2ban,我不知道为什么。唯一的区别就是如referrer:
你所见。
2016/07/14 01:54:31 [error] 13913#0: *42558 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/
/etc/fail2ban/filter.d/nginx-http-auth.conf
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
ignoreregex =
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /usr/local/nginx/localhost-error.log
maxretry = 3
所以问题是为什么我的请求触发规则,而攻击者的请求却没有?
日志摘录:
2016/07/14 01:54:27 [error] 13917#0: *42529 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:27 [error] 13917#0: *42530 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42531 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42532 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42533 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42534 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42535 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42536 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:29 [error] 13917#0: *42539 user "kyivstar" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
答案1
host: ...
不确定以下内容对您来说是否太过通用(如果是,请相应地发表评论),但您给出的正则表达式与攻击者生成的日志的值不匹配,特别是/
里面的值。
你可以尝试这个:
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$