fail2ban 与 xmlrpc 不匹配

fail2ban 与 xmlrpc 不匹配

我为 fail2ban 添加了 xmlrpc jail 来防御持续攻击。apache access.log 如下...

191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.80 - - [16/Dec/2016:14:54:22 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

我禁止 def 失败的原因如下...

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

这似乎不匹配,因为 fail2ban 日志中没有出现 xmlrpc 的任何内容,但 fail2ban 确实报告 jail 处于活动状态。

我的 jail 在 jail.conf 文件中是这样设置的。

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 0

有人知道为什么它可能不匹配吗?

答案1

我最终弄清楚了。原来是我错过了 xmlrpc jail 设置中的端口定义。

[xmlrpc]
enabled = true
filter = xmlrpc
port = http,https
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 0

现在运行完美

相关内容