昨天,我的日志文件中有数百万行类似这样的内容:
Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port 50306
Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification '\003' from 54.37.78.250 port 50530
Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification '\003' from 54.37.78.250 port 50696
Feb 25 18:00:00 mond2 sshd[29577]: Bad protocol version identification '\003' from 54.37.78.250 port 50857
Feb 25 18:00:00 mond2 sshd[29578]: Bad protocol version identification '\003' from 54.37.78.250 port 51032
Feb 25 18:00:01 mond2 sshd[29579]: Bad protocol version identification '\003' from 54.37.78.250 port 51213
Feb 25 18:00:01 mond2 sshd[29580]: Bad protocol version identification '\003' from 54.37.78.250 port 51427
Feb 25 18:00:01 mond2 sshd[29584]: Bad protocol version identification '\003' from 54.37.78.250 port 51642
Feb 25 18:00:01 mond2 sshd[29585]: Bad protocol version identification '\003' from 54.37.78.250 port 51809
Feb 25 18:00:01 mond2 sshd[29586]: Bad protocol version identification '\003' from 54.37.78.250 port 51970
我想用 fail2ban 来捕获它们,方法是创建一个新的 jail。但什么也没用。现在我尝试了正则表达式测试器,它告诉我:
fail2ban-regex /var/log/auth.log.test "^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port"
Running tests
=============
Use failregex line : ^%(__prefix_line)sBad protocol version identificat...
Use log file : /var/log/auth.log.test
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [10] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 10 lines, 0 ignored, 0 matched, 10 missed [processed in 0.00 sec]
|- Missed line(s):
| Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port 50306
| Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification '\003' from 54.37.78.250 port 50530
| Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification '\003' from 54.37.78.250 port 50696
| Feb 25 18:00:00 mond2 sshd[29577]: Bad protocol version identification '\003' from 54.37.78.250 port 50857
| Feb 25 18:00:00 mond2 sshd[29578]: Bad protocol version identification '\003' from 54.37.78.250 port 51032
| Feb 25 18:00:01 mond2 sshd[29579]: Bad protocol version identification '\003' from 54.37.78.250 port 51213
| Feb 25 18:00:01 mond2 sshd[29580]: Bad protocol version identification '\003' from 54.37.78.250 port 51427
| Feb 25 18:00:01 mond2 sshd[29584]: Bad protocol version identification '\003' from 54.37.78.250 port 51642
| Feb 25 18:00:01 mond2 sshd[29585]: Bad protocol version identification '\003' from 54.37.78.250 port 51809
| Feb 25 18:00:01 mond2 sshd[29586]: Bad protocol version identification '\003' from 54.37.78.250 port 51970
`-
所以它显然不知道我想要什么。这是什么意思,漏掉了几行?它没有仔细看,忘记了刚刚读过的内容吗?它读得太快,无法真正处理它读到的内容吗?我不明白,网络也不明白。对此有什么解释吗?
我要做什么才能匹配和禁止这些日志行?
这是我开始使用的正则表达式,不知道它是否好:
failregex = ^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port \d+\s*$
我在 Ubuntu 16.04 上有 Fail2Ban v0.9.3。
答案1
我有点生疏,但missed lines指的是无匹配的行违反你的正则表达式。
以下命令将显示日志中匹配和遗漏的行:
fail2ban-regex --print-all-missed /var/log/auth.log.test "^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port"
据我记得,每一行都会有一个前缀,表示HIT:正则表达式是否匹配以及MISS:是否不匹配。
编辑
现在坐在电脑前,尝试调试你的语句。
首先,正则表达式可能有点短?因为正则表达式不匹配整行。
据我所知,正则表达式匹配:
Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port50306
注意到我没有标记端口号。
如果你扩展正则表达式,它会说:
^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port \d+
嗯... 尝试用我自己的服务器测试日志,但仍然不起作用。怀疑该__prefix_line部分与“错误协议”之前的所有内容不匹配。
答案2
我又玩了一会儿,找到了一个可行的解决方案。我唯一能找到的办法就是删除我添加的所有内容,只将这个添加到 jail 中sshd,如下所示jail.local:
failregex = ^\s*\S+\s+sshd\[\d+\]: Bad protocol version identification '.*?' from <HOST> port
这似乎有效。当我连接 netcat 并输入一些文本时,相关的日志行就会显示出来,并将fail2ban-client status sshd失败计数器增加 1。我不太确定,因为还有其他攻击正在进行(通常的背景噪音)。
正则表达式中的关键变化是不要过度指定“identification”之后的部分。