我正在尝试为 fail2ban exim 过滤器添加额外的过滤规则。我想捕获那些试图过早发送身份验证的恶意机器人尝试。
我的 exim.conf 过滤器的 failregex 如下所示(最后一行是我添加的):
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
^%(pid)s SMTP protocol error in "AUTH LOGIN" %(host_info)sAUTH command used when not advertised\s*$
不起作用。当我运行 fail2ban-regex 进行测试时,我收到以下错误:
Running tests
=============
Use failregex filter file : exim, basedir: .
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 549, in <module>
fail2banRegex.readRegex(cmd_regex, 'fail') or sys.exit(-1)
File "/usr/bin/fail2ban-regex", line 279, in readRegex
if not reader.read():
File "/usr/lib/python3/dist-packages/fail2ban/client/configreader.py", line 274, in read
return ConfigReader.read(self, self._file)
File "/usr/lib/python3/dist-packages/fail2ban/client/configreader.py", line 89, in read
ret = self._cfg.read(name)
File "/usr/lib/python3/dist-packages/fail2ban/client/configreader.py", line 185, in read
config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 206, in read
fileNamesFull += self._getIncludes(filenames)
File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 151, in _getIncludes
fileNamesFull += self.__getIncludesUncached(filename, seen)
File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 168, in __getIncludesUncached
parser, i = self._getSharedSCPWI(resource)
File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 130, in _getSharedSCPWI
i = cfg.read(filename, get_includes=False)
File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 251, in read
return SafeConfigParser.read(self, fileNamesFull, encoding='utf-8')
File "/usr/lib/python3.5/configparser.py", line 696, in read
self._read(fp, filename)
File "/usr/lib/python3.5/configparser.py", line 1107, in _read
raise e
configparser.ParsingError: Source contains parsing errors: './filter.d/exim.conf'
[line 21]: '^%(pid)s SMTP protocol error in "AUTH LOGIN" %(host_info)sAUTH command used when not advertised\\s*$\n'
我不太了解正则表达式,不知道它在抱怨什么。
这是在 Ubuntu 16.04 上,带有 fail2ban-regex 版本 0.9.3
答案1
事实证明,多行正则表达式要求在每一行新行前面有一个制表符,因此上述过滤器应该是:
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
^%(pid)s SMTP protocol error in "AUTH LOGIN" %(host_info)sAUTH command used when not advertised\s*$