Debian 10 上带有 named 和 systemd 的 Fail2Ban

Debian 10 上带有 named 和 systemd 的 Fail2Ban

Debian 10 中默认的 named 是将日志记录到 systemd。fail2ban 中的最新过滤器:https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/named-refused.conf

仅适用于/var/log/named/security.log。我准备了自己的过滤器,它可以工作,但很丑 :)。仅适用于“client*denied”。有人能帮我让它像原始的一样工作吗,坏区域传输等。

/etc/fail2ban/filter.d/named-refused.conf

[INCLUDES]
before = common.conf
[DEFAULT]
[Definition]
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
failregex = ^client @\S* <HOST>#\S.* denied$
ignoreregex =
maxlines = 1
journalmatch = _SYSTEMD_UNIT=bind9.service
datepattern = {^LN-BEG}

答案1

为什么股票过滤器对您不起作用(您没有提供日志中的消息的样子)...

基本上,您可以通过从监狱提供参数来重写库存过滤器中的每个参数。
例如:

[named-refused]
filter = %(known/filter)s[__line_prefix="\s*\S+\s+named\[\d+\]:", journalmatch="_SYSTEMD_UNIT=bind9.service"]

因此,如果您的 systemd-journal 条目如下所示:

Mar 24 12:47:28 srv named[3935]: client 192.0.2.1#33081: query (cache) 'example.com/NS/IN' denied
Mar 24 12:47:28 srv named[2954]: client 192.0.2.2#56275: zone transfer 'example.com/AXFR/IN' denied
Mar 24 12:47:28 srv named[2809]: client @0x7f6450002ef0 192.0.2.3#23332 (example.com): bad zone transfer request: 'test.com/IN': non-authoritative zone (NOTAUTH)

但通常情况下,原始过滤器也必须适用于日志(只需要 journalmatch 即可更好地处理)。下面是带有上述摘录的示例(logtype=journal是可选的,它在最新的 fail2ban 版本中设置为日志监控,以简化通用前缀行):

$ fail2ban-regex /tmp/log 'named-refused[logtype=journal]'

Running tests
=============

Use   failregex filter file : named-refused
Use   filter options : {'logtype': 'journal'}
Use         log file : /tmp/log
Use         encoding : UTF-8


Results
=======

Prefregex: 3 total
|  ^(?:\s*\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(?: error:)?\s*client(?: @\S*)? (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))#\S+(?: \([\S.]+\))?: (?P<content>.+)\s(?:denied|\(NOTAUTH\))\s*$
`-

Failregex: 3 total
|-  #) [# of hits] regular expression
|   1) [1] ^(?:view (?:internal|external): )?query(?: \(cache\))?
|   2) [1] ^zone transfer
|   3) [1] ^bad zone transfer request: '\S+/IN': non-authoritative zone
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 3 lines, 0 ignored, 3 matched, 0 missed

要检查它是否适用于你的日志,你可以使用这个:

# stock parameters, only journal match:
fail2ban-regex systemd-journal 'named-refused[journalmatch="_SYSTEMD_UNIT=bind9.service"]'

# overwritten __line_prefix and set journalmatch:
fail2ban-regex systemd-journal 'named-refused[__line_prefix="\s*\S+\s+named\[\d+\]:", journalmatch="_SYSTEMD_UNIT=bind9.service"]'

相关内容