Fail2ban 版本 v0.10.2
我有一个简单的监狱,用于寻找特定的用户代理。
[barkrowler]
enabled = true
filter = barkrowler
logpath = /var/log/apache2/proxy.mydomain.com.access.log
port = 80,81,8103,8203,8303
maxretry = 1
findtime = 10
bantime = 86400
action = iptables-allports[name=barkrowler]
文件/etc/fail2ban/filter.d/barkrowler.conf
[Definition]
failregex=^.*\| <HOST> .*Barkrowler.*
来自此用户代理的典型访问日志行
[2020-10-13 14:23:09 (Tue)] | server20 | R:- | www.mydomain.com | 62.210.78.76 |"GET /robots.txt HTTP/1.1" | 301 | 249 | 80 | "-" | "Mozilla/5.0 (compatible; Barkrowler/0.9; +https://babbar.tech/crawler)"
fail2ban-regex显示它匹配
root@server20:/etc/fail2ban# fail2ban-regex --print-all-matched /var/log/apache2/proxy.mydomain.com.access.log /etc/fail2ban/filter.d/barkrowler.conf
Running tests
=============
Use failregex filter file : barkrowler, basedir: /etc/fail2ban
Use log file : /var/log/apache2/proxy.mydomain.com.access.log
Use encoding : UTF-8
Results
=======
Failregex: 1354 total
|- #) [# of hits] regular expression
| 1) [1354] ^.*\| <HOST> .*Barkrowler.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1106761] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
知道哪里出了问题吗?我的后端是 pyinotify,时间是正确的。
root@server20:/etc/fail2ban# timedatectl
Local time: Tue 2020-10-13 14:47:37 CDT
Universal time: Tue 2020-10-13 19:47:37 UTC
RTC time: Tue 2020-10-13 19:47:37
Time zone: America/Chicago (CDT, -0500)
System clock synchronized: yes
systemd-timesyncd.service active: yes
RTC in local TZ: no
Fail2ban 日志在启动时不会显示任何内容:
2020-10-13 14:17:45,055 fail2ban.jail [18459]: INFO Jail 'barkrowler' started
答案1
看来我的问题与 jail 的部分有关findtime。观察日志命中,我发现它们的间隔比 fail2ban 检测到的间隔更远(间隔 1-2 分钟)。我将其更改为findtime = 120,然后它开始禁止。
因此,如果有人遇到这个问题,如果您的其余配置都是正确的,并且您的正则表达式是合理的,请注意这些(findtime和maxretry)。