日志文件 /var/log/openvpnas.log 中的一行示例
2017-07-22 01:13:51+0200 [-] OVPN 4 OUT: "Fri Jul 21 23:13:51 2017 62.140.147.120:5414 SENT CONTROL [jeff]: 'AUTH_FAILED' (status=1)"
我想使用 fail2ban 来阻止 ip-adres 62.140.147.120,因为 AUTH_FAILED 在该行中,如示例行中所示。我花了几个小时尝试实现这一点。在 Google 上搜索。尝试使用正则表达式。仍然无法使其工作。
到目前为止,我认为 openvpn.conf 中最合乎逻辑的一行:
failregex = ^ ... OVPN 4 OUT: \".* .* .* ..:..:.. .... <HOST>:.* SENT CONTROL .*: \'AUTH_FAILED\' $
但是命令:
fail2ban-regex /var/log/openvpnas.log /etc/fail2ban/filter.d/openvpn.conf
一直说:0 个匹配
有人能帮帮我吗?我必须在 openvpn.conf 中输入“failregex”的参数是什么?
答案1
以下 failregex 对我有用:
failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
测试fail2ban-regex
给出:
$ fail2ban-regex -v --print-all-matched openvpn.log "<HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*"
Running tests
=============
Use failregex line : <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
Use log file : openvpn.log
Use encoding : UTF-8
Results
=======
Failregex: 7 total
|- #) [# of hits] regular expression
| 1) [7] <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
| 31.77.70.2 Mon Mar 26 14:23:23 2018
| 31.77.70.2 Mon Mar 26 14:53:43 2018
| 31.77.70.2 Mon Mar 26 14:54:42 2018
| 31.77.70.2 Mon Mar 26 14:55:09 2018
| 31.77.70.2 Mon Mar 26 15:16:52 2018
| 31.77.70.2 Mon Mar 26 15:19:14 2018
| 31.77.70.2 Mon Mar 26 15:20:59 2018
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [5664] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [413] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
Lines: 6077 lines, 0 ignored, 7 matched, 6070 missed [processed in 3.84 sec]
|- Matched line(s):
| 2018-03-26 14:23:23+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:23:23 2018 31.77.70.2:58835 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 14:53:43+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:53:43 2018 31.77.70.2:62055 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 14:54:42+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:54:42 2018 31.77.70.2:57913 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 14:55:09+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:55:09 2018 31.77.70.2:58704 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 15:16:52+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:16:52 2018 31.77.70.2:55038 SENT CONTROL [test]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 15:19:14+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:19:14 2018 31.77.70.2:50027 SENT CONTROL [test]: 'AUTH_FAILED,REVOKED: client certificate has been revoked' (status=1)"
| 2018-03-26 15:20:59+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:20:59 2018 31.77.70.2:49564 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
`-
Missed line(s): too many to print. Use --print-all-missed to print all 6070 lines
答案2
谢谢你尼尔。
以下是我的 filter.d 文件的内容:
failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
ignoreregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED,SESSION