如何指定来自 systemd/journald 的日志的 fail2ban 过滤器/监狱?

如何指定来自 systemd/journald 的日志的 fail2ban 过滤器/监狱?

我已经运行 nginx 并将其记录到 systemd / journald。

如何指定日志来源为 systemd 单元?

man jail.conf看到列出的后端如下:

       systemd
              uses  systemd  python library to access the systemd journal.
              Specifying logpath is not valid for this backend and instead
              utilises  journalmatch from the jails associated filter con‐
              fig.

和:

       journalmatch
              specifies  the systemd journal match used to filter the journal entries. See journalctl(1) and systemd.journal-fields(7) for matches syntax and
              more details on special journal fields. This option is only valid for the systemd backend.

所以我的尝试基于上述内容:

[nginx-bots-123]

enabled  = true
backend = systemd
journalmatch = CONTAINER_TAG=nginx
port     = http,https
filter   = nginx-botsearch
maxretry = 6

然而它似乎显示空白的 journalmatch

root@chris-travis-development:~# fail2ban-client -vvvvvv status nginx-bots-123
 +   72 7F47BAAD7740 fail2ban.configreader     INFO  |    configreader-20: read                 | Loading configs for fail2ban under /etc/fail2ban 
 +   72 7F47BAAD7740 fail2ban.configreader     DEBUG |    configreader-10: read                 | Reading configs for fail2ban under /etc/fail2ban 
 +   73 7F47BAAD7740 fail2ban.configreader     DEBUG |    configreader-10: read                 | Reading config files: /etc/fail2ban/fail2ban.conf, /etc/fail2ban/fail2ban.local
 +   74 7F47BAAD7740 fail2ban.configparserinc  INFO  | configparserinc-20: read                 |   Loading files: ['/etc/fail2ban/fail2ban.conf']
 +   76 7F47BAAD7740 fail2ban.configparserinc  TRACE | configparserinc-7 : read                 |     Reading file: /etc/fail2ban/fail2ban.conf
 +   77 7F47BAAD7740 fail2ban.configparserinc  INFO  | configparserinc-20: read                 |   Loading files: ['/etc/fail2ban/fail2ban.local']
 +   77 7F47BAAD7740 fail2ban.configparserinc  TRACE | configparserinc-7 : read                 |     Reading file: /etc/fail2ban/fail2ban.local
 +   77 7F47BAAD7740 fail2ban.configparserinc  INFO  | configparserinc-20: read                 |   Loading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
 +   77 7F47BAAD7740 fail2ban.configparserinc  TRACE | configparserinc-7 : _getSharedSCPWI      |     Shared file: /etc/fail2ban/fail2ban.conf
 +   77 7F47BAAD7740 fail2ban.configparserinc  TRACE | configparserinc-7 : _getSharedSCPWI      |     Shared file: /etc/fail2ban/fail2ban.local
 +   78 7F47BAAD7740 fail2ban                  INFO  | fail2bancmdline-20: initCmdLine          | Using socket file /var/run/fail2ban/fail2ban.sock
 +   78 7F47BAAD7740 fail2ban                  INFO  | fail2bancmdline-20: initCmdLine          | Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
 +   78 7F47BAAD7740 fail2ban                  HEAVY |  fail2banclient-5 : __processCmd         | CMD: ['status', 'nginx-bots-123']
 +   79 7F47BAAD7740 fail2ban                  HEAVY |  fail2banclient-5 : __processCmd         | OK : [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])]
 +   79 7F47BAAD7740 fail2ban.beautifier       HEAVY |      beautifier-5 : beautify             | Beautify [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])] with ['status', 'nginx-bots-123']
Status for the jail: nginx-bots-123
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- Journal matches:  
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:   
 +   79 7F47BAAD7740 fail2ban                  DEBUG | fail2bancmdline-10: exit                 | Exit with code 0
    

虽然它们确实存在:

root@chris-travis-development:~# journalctl CONTAINER_TAG=nginx  --since "2 hour ago" | cat
-- Logs begin at Wed 2020-07-08 16:07:56 UTC, end at Thu 2020-08-13 15:54:43 UTC. --
Aug 13 13:57:49 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:13:57:49 +0000] "\x05\x01\x00" 400 173 "-" "-"
Aug 13 13:58:44 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:13:58:44 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 173 "-" "-"
Aug 13 14:00:41 chris-travis-development nginx[994]: 5.188.210.227 - - [13/Aug/2020:14:00:41 +0000] "GET http://5.188.210.227/echo.php HTTP/1.1" 301 185 "https://www.google.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"

我做错了什么?如何正确配置它?


以下测试似乎也能正确显示记录的存在:

root@chris-travis-development:~# fail2ban-regex --journalmatch='CONTAINER_TAG=nginx' systemd-journal "nginx-botsearch"

Running tests
=============

Use   failregex filter file : nginx-botsearch, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : CONTAINER_TAG=nginx


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 3050 lines, 0 ignored, 0 matched, 3050 missed
[processed in 0.77 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 3050 lines

额外的调试strace似乎表明文件根本没被读取?除非我弄错了。

root@chris-travis-development:~# strace fail2ban-client -vvvvvv status nginx-bots-123 2>&1 | grep nginx-bots.conf
root@chris-travis-development:~# strace fail2ban-client -vvvvvv status nginx-bots-123 2>&1 | grep nginx
execve("/usr/bin/fail2ban-client", ["fail2ban-client", "-vvvvvv", "status", "nginx-bots-123"], 0x7fff49c76428 /* 20 vars */) = 0
write(2, " +  172 7F3597063740 fail2ban   "..., 132 +  172 7F3597063740 fail2ban                  HEAVY |  fail2banclient-5 : __processCmd         | CMD: ['status', 'nginx-bots-123']
sendto(3, "\200\4\225\37\0\0\0\0\0\0\0]\224(\214\6status\224\214\16nginx-b"..., 59, 0, NULL, 0) = 59
write(2, " +  177 7F3597063740 fail2ban.be"..., 314 +  177 7F3597063740 fail2ban.beautifier       HEAVY |      beautifier-5 : beautify             | Beautify [('Filter', [('Currently failed', 0), ('Total failed', 0), ('Journal matches', [''])]), ('Actions', [('Currently banned', 0), ('Total banned', 0), ('Banned IP list', [])])] with ['status', 'nginx-bots-123']
write(1, "Status for the jail: nginx-bots-"..., 200Status for the jail: nginx-bots-123

相关内容