我正在尝试弄清楚如何为 fail2ban 创建 failregex 过滤器以防范以下攻击。我尝试了以下 failregex 表达式,但它们与 /var/log/https/error_log 中的任何内容都不匹配
failregex = ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*pma* *\s*$
或者
failregex = ^[[^\]]+\] \[error\] \[client <HOST>\] File does not exist: *phpyadmin* *\s*$
以下是我尝试创建规则的探测器
[Sat Aug 05 15:42:46 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin2015
[Sat Aug 05 15:42:46 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin2016
[Sat Aug 05 15:42:47 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin2017
[Sat Aug 05 15:42:48 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2014
[Sat Aug 05 15:42:49 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2015
[Sat Aug 05 15:42:49 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2016
[Sat Aug 05 15:42:49 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2017
[Sat Aug 05 15:42:50 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2018
[Sat Aug 05 15:42:52 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2015
[Sat Aug 05 15:42:52 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2016
[Sat Aug 05 15:42:52 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2017
[Sat Aug 05 15:42:53 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2018
正则表达式无法正确识别日志的创建格式。如能得到任何帮助,我将不胜感激。我只需要一个通配符规则来扫描 a) 文件不存在和 b) 错误行上的任何以下字符串 pma*、php*
答案1
谢谢您的上述建议,但经过无数次尝试后,这里才找到有效的表达方式。
[Definition]
ignoreregex =
failregex = \[client <HOST>\] File does not exist:.*(?i)MyAdmin.*
\[client <HOST>\] File does not exist:.*(?i)mysqlmanager.*
\[client <HOST>\] File does not exist:.*(?i)PMA.*
\[client <HOST>\] File does not exist:.*(?i)pma.*
\[client <HOST>\] File does not exist:.*(?i)php-my-admin.*
\[client <HOST>\] File does not exist:.*(?i)myadmin.*
\[client <HOST>\] File does not exist:.*(?i)administrator.*
\[client <HOST>\] File does not exist:.*(?i)xmlrpc.*
\[client <HOST>\] File does not exist:.*(?i)testproxy.*
\[client <HOST>\] File does not exist:.*(?i)phpMyAdmin.*
\[client <HOST>\] File does not exist:.*(?i)db.*
\[client <HOST>\] File does not exist:.*(?i)sql.*
如果有人在 centos 上安装了 plesk,他们可以使用这些规则来阻止攻击。我的服务器的 apache 进程一直以 100% 的 CPU 使用率运行。
答案2
我能看到的最明显的错误是这里 -
pma* *\s*$
即匹配pm,后面跟着a零次或多次。然后匹配空格零次或多次,后面跟着\s(空格或制表符) 零次或多次。
因此,它基本上必须以 结尾,pma后面跟着零个或多个空格。其他正则表达式也一样。
您应该尝试类似的方法pma.*\s*(假设您需要考虑行尾可能存在的空格。
编辑 - 完整的表达应该是如下所示的内容,尽管显然我无法真正测试它。
\[client <HOST>\] File does not exist: .+pma