Fail2ban 与 OpenVPN 访问服务器

Question 1

以下 failregex 对我有用：

failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*

测试fail2ban-regex给出：

$ fail2ban-regex -v --print-all-matched openvpn.log "<HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*"

Running tests
=============

Use   failregex line : <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
Use         log file : openvpn.log
Use         encoding : UTF-8


Results
=======

Failregex: 7 total
|-  #) [# of hits] regular expression
|   1) [7] <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
|      31.77.70.2  Mon Mar 26 14:23:23 2018
|      31.77.70.2  Mon Mar 26 14:53:43 2018
|      31.77.70.2  Mon Mar 26 14:54:42 2018
|      31.77.70.2  Mon Mar 26 14:55:09 2018
|      31.77.70.2  Mon Mar 26 15:16:52 2018
|      31.77.70.2  Mon Mar 26 15:19:14 2018
|      31.77.70.2  Mon Mar 26 15:20:59 2018
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5664] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
|  [413] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 6077 lines, 0 ignored, 7 matched, 6070 missed [processed in 3.84 sec]
|- Matched line(s):
|  2018-03-26 14:23:23+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:23:23 2018 31.77.70.2:58835 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:53:43+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:53:43 2018 31.77.70.2:62055 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:54:42+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:54:42 2018 31.77.70.2:57913 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:55:09+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:55:09 2018 31.77.70.2:58704 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 15:16:52+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:16:52 2018 31.77.70.2:55038 SENT CONTROL [test]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 15:19:14+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:19:14 2018 31.77.70.2:50027 SENT CONTROL [test]: 'AUTH_FAILED,REVOKED: client certificate has been revoked' (status=1)"
|  2018-03-26 15:20:59+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:20:59 2018 31.77.70.2:49564 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 6070 lines

Answer

以下 failregex 对我有用：

failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*

测试fail2ban-regex给出：

$ fail2ban-regex -v --print-all-matched openvpn.log "<HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*"

Running tests
=============

Use   failregex line : <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
Use         log file : openvpn.log
Use         encoding : UTF-8


Results
=======

Failregex: 7 total
|-  #) [# of hits] regular expression
|   1) [7] <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
|      31.77.70.2  Mon Mar 26 14:23:23 2018
|      31.77.70.2  Mon Mar 26 14:53:43 2018
|      31.77.70.2  Mon Mar 26 14:54:42 2018
|      31.77.70.2  Mon Mar 26 14:55:09 2018
|      31.77.70.2  Mon Mar 26 15:16:52 2018
|      31.77.70.2  Mon Mar 26 15:19:14 2018
|      31.77.70.2  Mon Mar 26 15:20:59 2018
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5664] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
|  [413] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 6077 lines, 0 ignored, 7 matched, 6070 missed [processed in 3.84 sec]
|- Matched line(s):
|  2018-03-26 14:23:23+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:23:23 2018 31.77.70.2:58835 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:53:43+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:53:43 2018 31.77.70.2:62055 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:54:42+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:54:42 2018 31.77.70.2:57913 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:55:09+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:55:09 2018 31.77.70.2:58704 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 15:16:52+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:16:52 2018 31.77.70.2:55038 SENT CONTROL [test]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 15:19:14+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:19:14 2018 31.77.70.2:50027 SENT CONTROL [test]: 'AUTH_FAILED,REVOKED: client certificate has been revoked' (status=1)"
|  2018-03-26 15:20:59+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:20:59 2018 31.77.70.2:49564 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 6070 lines

Question 2

谢谢你尼尔。

以下是我的 filter.d 文件的内容：

failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
ignoreregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED,SESSION

Answer

谢谢你尼尔。

以下是我的 filter.d 文件的内容：

failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
ignoreregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED,SESSION

Fail2ban 与 OpenVPN 访问服务器

答案1

答案2

相关内容