我为 fail2ban 添加了 xmlrpc jail 来防御持续攻击。apache access.log 如下...
191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.80 - - [16/Dec/2016:14:54:22 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
我禁止 def 失败的原因如下...
[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
这似乎不匹配,因为 fail2ban 日志中没有出现 xmlrpc 的任何内容,但 fail2ban 确实报告 jail 处于活动状态。
我的 jail 在 jail.conf 文件中是这样设置的。
[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 0
有人知道为什么它可能不匹配吗?
答案1
我最终弄清楚了。原来是我错过了 xmlrpc jail 设置中的端口定义。
[xmlrpc]
enabled = true
filter = xmlrpc
port = http,https
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 0
现在运行完美