Fail2ban 不工作?

Fail2ban 不工作?

我尝试使用该fail2ban-regex命令来测试我的过滤器和正则表达式,但似乎没有什么效果。我使用教程演示了如何使用 Devise gem 和 Rails 来记录失败的登录。

这是我的/etc/fail2ban/filter.d/core.conf文件:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $

以下是我的/etc/fail2ban/jail.conf文件中的内容。

[core]
enabled = true
filter  = core
port    = http,https
logpath = /home/rails/Documents/rails_app/devise.log
bantime = 3600
findtime = 600
maxretry = 2

以下是devise.logRails 创建的文件的示例输出:

# Logfile created on 2018-09-26 16:19:41 -0500 by logger.rb/61378
E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:19:41Z
E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:17Z
E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:19Z
E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:21Z
E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:23Z

这正是教程中使用的。但是,当我提交无效的登录尝试时,什么也没有发生。

这是我的命令的结果fail2ban-regex

[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log "^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $"

Running tests
=============

Use   failregex line : ^\s*(\[.+?\] )*Failed login for '.*' from <HOST> at $
Use         log file : /home/rails/Documents/rails_app/devise.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [13] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 13 lines, 0 ignored, 0 matched, 13 missed
[processed in 0.02 sec]

|- Missed line(s):
|  E, [2018-09-26T16:19:41.353620 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:19:41Z
|  E, [2018-09-26T16:27:17.469743 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:17Z
|  E, [2018-09-26T16:27:19.706783 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:19Z
|  E, [2018-09-26T16:27:21.504956 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:21Z
|  E, [2018-09-26T16:27:23.193147 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:23Z
|  E, [2018-09-26T16:27:24.959032 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:24Z
|  E, [2018-09-26T16:27:26.661292 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:26Z
|  E, [2018-09-26T16:27:28.297408 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:28Z
|  E, [2018-09-26T16:27:30.179503 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:30Z
|  E, [2018-09-26T16:27:31.940616 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:27:31Z
|  E, [2018-09-26T16:32:42.579173 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:32:42Z
|  E, [2018-09-26T16:32:44.817088 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:32:44Z
|  E, [2018-09-26T16:32:46.660918 #12157] ERROR -- : Failed login for '[email protected]' from 172.16.38.1 at 2018-09-26T21:32:46Z

不确定为什么这不起作用。有什么建议吗?我尝试操纵我的正则表达式,但仍然没有成功。

编辑

看起来 Fail2Ban 确实坏了,或者我完全搞砸了正则表达式。我已将文件缩减devise.log为仅包含 IP 地址的一行,并将过滤器缩减为以下内容:

[INCLUDES]
before = common.conf

[Definition]
failregex = <HOST>

但它仍然找不到 IP 地址:

[myuser:ubuntu:/etc/fail2ban/filter.d]$ fail2ban-regex /home/rails/Documents/rails_app/devise.log core.conf

Running tests
=============

Use   failregex filter file : core, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /home/rails/Documents/rails_app/devise.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]

|- Missed line(s):
|  172.16.38.1
`-

另一次尝试 现在看起来好像failregex不起作用了。我为另一个实际有效的示例提供了完全相同的正则表达式,并且在conf 文件的部分fail2ban-regex中也有完全相同的内容。仍然没有结果。failregex

答案1

我想我刚刚才搞明白。datepattern =在过滤文件中将其设置为空后,它现在总是匹配。花了 4 个小时才搞明白。

相关内容