我正在尝试在 fail2ban 中为运动流 http 身份验证创建自定义监狱和过滤器。日志目录是,/var/log/motion/motion.log并且失败的登录尝试会生成:
[0:ml1] [ALR] [STR] [Nov 02 16:47:57] handle_basic_auth: motion-stream - failed auth attempt from 192.168.0.65
我的自定义监狱/etc/failban/jail.local如下所示:
[motion-auth]
enabled = true
port = 8010
filter = motion-auth.conf
logpath = /var/log/motion/motion.log
banaction = %(banaction_allports)s
maxretry = 3
findtime = 10800
bantime = 259200
我的motion-auth.conf文件/etc/failban/filter.d/如下所示:
[INCLUDES]
before = common.conf
[Definition]
_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)?
failregex = [0:ml1] [ALR] [STR] .* handle_basic_auth: motion-stream - failed auth attempt from <HOST>
我在过滤文件中写入 failregex 时遇到了麻烦。有人能帮我解决吗?
答案1
我知道这是一个老问题,但它仍然出现在搜索引擎结果中,所以这里有一个详细的答案。
对于正则表达式,[ALR]和类似的括号字符串具有特殊含义,即:“以下字符之一:A、L 或 R”。要告诉正则表达式您想要匹配文字字符[和],请使用\反斜杠字符对其进行转义。
log_line="[0:ml1] [ALR] [STR] [Nov 02 16:47:57] \
handle_basic_auth: motion-stream - failed auth attempt from 192.168.0.65"
regex="\[0:ml1\] \[ALR\] \[STR\] .* handle_basic_auth: motion-stream - \
failed auth attempt from <HOST>"
fail2ban-regex "$log_line" "$regex" | grep matched
Lines: 1 lines, 0 ignored, 1 matched, 0 missed