Debian 10 中默认的 named 是将日志记录到 systemd。fail2ban 中的最新过滤器:https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/named-refused.conf
仅适用于/var/log/named/security.log
。我准备了自己的过滤器,它可以工作,但很丑 :)。仅适用于“client*denied”。有人能帮我让它像原始的一样工作吗,坏区域传输等。
/etc/fail2ban/filter.d/named-refused.conf
:
[INCLUDES]
before = common.conf
[DEFAULT]
[Definition]
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
failregex = ^client @\S* <HOST>#\S.* denied$
ignoreregex =
maxlines = 1
journalmatch = _SYSTEMD_UNIT=bind9.service
datepattern = {^LN-BEG}
答案1
为什么股票过滤器对您不起作用(您没有提供日志中的消息的样子)...
基本上,您可以通过从监狱提供参数来重写库存过滤器中的每个参数。
例如:
[named-refused]
filter = %(known/filter)s[__line_prefix="\s*\S+\s+named\[\d+\]:", journalmatch="_SYSTEMD_UNIT=bind9.service"]
因此,如果您的 systemd-journal 条目如下所示:
Mar 24 12:47:28 srv named[3935]: client 192.0.2.1#33081: query (cache) 'example.com/NS/IN' denied
Mar 24 12:47:28 srv named[2954]: client 192.0.2.2#56275: zone transfer 'example.com/AXFR/IN' denied
Mar 24 12:47:28 srv named[2809]: client @0x7f6450002ef0 192.0.2.3#23332 (example.com): bad zone transfer request: 'test.com/IN': non-authoritative zone (NOTAUTH)
但通常情况下,原始过滤器也必须适用于日志(只需要 journalmatch 即可更好地处理)。下面是带有上述摘录的示例(logtype=journal
是可选的,它在最新的 fail2ban 版本中设置为日志监控,以简化通用前缀行):
$ fail2ban-regex /tmp/log 'named-refused[logtype=journal]'
Running tests
=============
Use failregex filter file : named-refused
Use filter options : {'logtype': 'journal'}
Use log file : /tmp/log
Use encoding : UTF-8
Results
=======
Prefregex: 3 total
| ^(?:\s*\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(?: error:)?\s*client(?: @\S*)? (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))#\S+(?: \([\S.]+\))?: (?P<content>.+)\s(?:denied|\(NOTAUTH\))\s*$
`-
Failregex: 3 total
|- #) [# of hits] regular expression
| 1) [1] ^(?:view (?:internal|external): )?query(?: \(cache\))?
| 2) [1] ^zone transfer
| 3) [1] ^bad zone transfer request: '\S+/IN': non-authoritative zone
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 3 lines, 0 ignored, 3 matched, 0 missed
要检查它是否适用于你的日志,你可以使用这个:
# stock parameters, only journal match:
fail2ban-regex systemd-journal 'named-refused[journalmatch="_SYSTEMD_UNIT=bind9.service"]'
# overwritten __line_prefix and set journalmatch:
fail2ban-regex systemd-journal 'named-refused[__line_prefix="\s*\S+\s+named\[\d+\]:", journalmatch="_SYSTEMD_UNIT=bind9.service"]'