Fail2ban 错误地禁止匹配的 IP

tag-icon tag-icon nginx ip fail2ban
Fail2ban 错误地禁止匹配的 IP

我有一个非常简单的过滤器,可以执行以下操作:

[nginx 节点]

failregex = ^<HOST> -.*(socket.io).*

我可以看到有明显的匹配:

grep 'socket.io' /var/log/nginx/example.com.access.log

121.172.15.179 1.866 - [19/Mar/2019:07:28:24 +0000] example.com "GET /play HTTP/1.1" 200 6139 "http://example.com/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=l0uDuR-obQ-x88VTXy64" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 OPR/56.0.3051.43"
109.248.15.151 2.097 - [19/Mar/2019:07:28:24 +0000] example.com "GET /withdraw HTTP/1.1" 200 5909 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=YhxObxy-NI9nGSMYXy-i" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
185.129.196.137 1.983 - [19/Mar/2019:07:28:24 +0000] example.com "GET /play HTTP/1.1" 200 6140 "http://example.com/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=T6NdG0RxDqJrrZoBXy66" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 OPR/56.0.3051.43"
5.188.214.175 2.001 - [19/Mar/2019:07:28:25 +0000] example.com "GET /withdraw HTTP/1.1" 200 5909 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=HDuKa8O9rB_DQ4SbXy-j" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
5.8.54.93 1.357 - [19/Mar/2019:07:28:26 +0000] example.com "GET /withdraw HTTP/1.1" 200 5906 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=5SwXG179RJFvBDJ_Xy-k" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
45.4.197.31 1.533 - [19/Mar/2019:07:28:27 +0000] example.com "GET /withdraw HTTP/1.1" 200 5903 "https://example.com:2096/socket.io/?EIO=3&transport=polling&t=MQmFluw&sid=L1AFBAvELUyb9x1sXy-l" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/5^C

但禁令如下:

2019-03-19 23:01:20,927 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.139
2019-03-19 23:01:21,346 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.140
2019-03-19 23:01:21,568 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.141
2019-03-19 23:01:21,790 fail2ban.actions        [16286]: NOTICE  [nginx-node] Ban 0.0.0.142

我的jail.local的相关部分:

[nginx-node]
enabled = true
filter = nginx-node
port = http,https
action = iptables-multiport[name=Name, port="http,https", protocol=tcp]
logpath = /var/www/example.com/logs/access.log tail
maxretry = 0

我在 Cloudflare 后面运行 nginx。我已经调整了 nginx 以显示真实 IP,我知道这是有效的,因为其他过滤器运行正常。似乎这个用户在伪造他的 IP 地址。我只是不明白为什么我在日志中看到一个真实的 IP,而假的 IP 被禁止了。

有任何想法吗?

相关内容