fail2ban 过滤器解析错误

fail2ban 过滤器解析错误

我正在尝试为 fail2ban exim 过滤器添加额外的过滤规则。我想捕获那些试图过早发送身份验证的恶意机器人尝试。

我的 exim.conf 过滤器的 failregex 如下所示(最后一行是我添加的):

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
^%(pid)s SMTP protocol error in "AUTH LOGIN" %(host_info)sAUTH command used when not advertised\s*$

不起作用。当我运行 fail2ban-regex 进行测试时,我收到以下错误:

Running tests
=============

Use   failregex filter file : exim, basedir: .
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 549, in <module>
    fail2banRegex.readRegex(cmd_regex, 'fail') or sys.exit(-1)
  File "/usr/bin/fail2ban-regex", line 279, in readRegex
    if not reader.read():
  File "/usr/lib/python3/dist-packages/fail2ban/client/configreader.py", line 274, in read
    return ConfigReader.read(self, self._file)
  File "/usr/lib/python3/dist-packages/fail2ban/client/configreader.py", line 89, in read
    ret = self._cfg.read(name)
  File "/usr/lib/python3/dist-packages/fail2ban/client/configreader.py", line 185, in read
    config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
  File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 206, in read
    fileNamesFull += self._getIncludes(filenames)
  File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 151, in _getIncludes
    fileNamesFull += self.__getIncludesUncached(filename, seen)
  File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 168, in __getIncludesUncached
    parser, i = self._getSharedSCPWI(resource)
  File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 130, in _getSharedSCPWI
    i = cfg.read(filename, get_includes=False)
  File "/usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py", line 251, in read
    return SafeConfigParser.read(self, fileNamesFull, encoding='utf-8')
  File "/usr/lib/python3.5/configparser.py", line 696, in read
    self._read(fp, filename)
  File "/usr/lib/python3.5/configparser.py", line 1107, in _read
    raise e
configparser.ParsingError: Source contains parsing errors: './filter.d/exim.conf'
    [line 21]: '^%(pid)s SMTP protocol error in "AUTH LOGIN" %(host_info)sAUTH command used when not advertised\\s*$\n'

我不太了解正则表达式,不知道它在抱怨什么。

这是在 Ubuntu 16.04 上,带有 fail2ban-regex 版本 0.9.3

答案1

事实证明,多行正则表达式要求在每一行新行前面有一个制表符,因此上述过滤器应该是:

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
    ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
    ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
    ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
    ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
    ^%(pid)s SMTP protocol error in "AUTH LOGIN" %(host_info)sAUTH command used when not advertised\s*$

相关内容