如何忽略事件源日志

tag-icon tag-icon nginx logging regex fail2ban
如何忽略事件源日志

我有一个定期运行的事件源。问题是,http-get-dos如果用户长时间打开标签,fail2ban 将捕获 IP。

所以,我在想,如何在 ningx 中禁用这种类型的特定日志?另一种方法是配置 fail2ban 以忽略此模式。

"GET /users/stream HTTP/2.0"

我愿意在nginx或者fail2ban中实现。

可能相应地改变这一行 /etc/fail2ban/filter.d/http-get-dos.conf 是最直接的方法:

failregex = ^<HOST> -.*"(GET|POST).*

更新(/etc/fail2ban/filter.d/http-get-dos.conf):

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =

##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath  = /usr/local/nginx/localhost-access.log
maxretry = 300
findtime = 300
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

第一次尝试:显然不适用于以下正则表达式:

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 22431 total
|-  #) [# of hits] regular expression
|   1) [22431] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 0 total

第二次尝试:但将与^<HOST> -.*"(GET) /users/stream.*$

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^<HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^<HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 1574 total
|-  #) [# of hits] regular expression
|   1) [1574] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 22093 total
|-  #) [# of hits] regular expression
|   1) [22093] ^<HOST> -.*"(GET) /users/stream.*$
`-

答案1

您使用

ignoreregex =

指令

/etc/fail2ban/filter.d/http-get-dos.conf

配置文件。这应该只是调整正则表达式的问题。像这样:

^<HOST> -.*"(GET) /users/stream.*$

与您的日志文件行匹配,然后匹配任何 GET,并且只匹配带有 /users/stream 前缀和附加到它的任何字符串的请求的 GET。

相关内容