Fail2ban 与 OpenVPN 访问服务器

Fail2ban 与 OpenVPN 访问服务器

日志文件 /var/log/openvpnas.log 中的一行示例

2017-07-22 01:13:51+0200 [-] OVPN 4 OUT: "Fri Jul 21 23:13:51 2017 62.140.147.120:5414 SENT CONTROL [jeff]: 'AUTH_FAILED' (status=1)"

我想使用 fail2ban 来阻止 ip-adres 62.140.147.120,因为 AUTH_FAILED 在该行中,如示例行中所示。我花了几个小时尝试实现这一点。在 Google 上搜索。尝试使用正则表达式。仍然无法使其工作。

到目前为止,我认为 openvpn.conf 中最合乎逻辑的一行:

failregex = ^ ... OVPN 4 OUT: \".* .* .* ..:..:.. .... <HOST>:.* SENT CONTROL .*: \'AUTH_FAILED\' $

但是命令:

fail2ban-regex /var/log/openvpnas.log /etc/fail2ban/filter.d/openvpn.conf

一直说:0 个匹配

有人能帮帮我吗?我必须在 openvpn.conf 中输入“failregex”的参数是什么?

答案1

以下 failregex 对我有用:

failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*

测试fail2ban-regex给出:

$ fail2ban-regex -v --print-all-matched openvpn.log "<HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*"

Running tests
=============

Use   failregex line : <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
Use         log file : openvpn.log
Use         encoding : UTF-8


Results
=======

Failregex: 7 total
|-  #) [# of hits] regular expression
|   1) [7] <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
|      31.77.70.2  Mon Mar 26 14:23:23 2018
|      31.77.70.2  Mon Mar 26 14:53:43 2018
|      31.77.70.2  Mon Mar 26 14:54:42 2018
|      31.77.70.2  Mon Mar 26 14:55:09 2018
|      31.77.70.2  Mon Mar 26 15:16:52 2018
|      31.77.70.2  Mon Mar 26 15:19:14 2018
|      31.77.70.2  Mon Mar 26 15:20:59 2018
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5664] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
|  [413] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] ^24hour:Minute:Second
|  [0] ^<Month/Day/Year2@24hour:Minute:Second>
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second
`-

Lines: 6077 lines, 0 ignored, 7 matched, 6070 missed [processed in 3.84 sec]
|- Matched line(s):
|  2018-03-26 14:23:23+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:23:23 2018 31.77.70.2:58835 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:53:43+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:53:43 2018 31.77.70.2:62055 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:54:42+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:54:42 2018 31.77.70.2:57913 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 14:55:09+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:55:09 2018 31.77.70.2:58704 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 15:16:52+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:16:52 2018 31.77.70.2:55038 SENT CONTROL [test]: 'AUTH_FAILED' (status=1)"
|  2018-03-26 15:19:14+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:19:14 2018 31.77.70.2:50027 SENT CONTROL [test]: 'AUTH_FAILED,REVOKED: client certificate has been revoked' (status=1)"
|  2018-03-26 15:20:59+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:20:59 2018 31.77.70.2:49564 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 6070 lines

答案2

谢谢你尼尔。

以下是我的 filter.d 文件的内容:

failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
ignoreregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED,SESSION

相关内容