尽管 fail2ban-regex 建议它应该可以工作,但我的自定义 fail2ban jail 仍然加载失败?

尽管 fail2ban-regex 建议它应该可以工作,但我的自定义 fail2ban jail 仍然加载失败?

我在 fail2ban 中编写了一个自定义 jail 和过滤器,用于登录我的服务。日志文件位于/var/log/motion/motion.log,登录失败会生成如下行:

[0:ml1] [ALR] [STR] [Nov 02 11:42:59] handle_basic_auth: motion-stream - failed auth attempt from <ip>

我的监狱看起来/etc/fail2ban/jail.local是这样的:

[motion-auth]

enabled = true
port     = 8008
filter = motion-auth.conf
logpath  = /var/log/motion/motion.log
banaction = %(banaction_allports)s
maxretry = 3
findtime = 10800
bantime = 259200

我的命名过滤器/etc/fail2ban/filter.d如下motion-auth.conf所示:

[Definition]
failregex = \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>

当我运行时,fail2ban-regex /var/log/motion/motion.log /etc/fail2ban/filter.d/motion-auth.conf我得到确认,我的过滤器确实按预期运行:

Running tests
=============

Use   failregex filter file : motion-auth, basedir: /etc/fail2ban
Use         log file : /var/log/motion/motion.log
Use         encoding : UTF-8


Results
=======

Failregex: 186 total
|-  #) [# of hits] regular expression
|   1) [186] \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2640] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2929 lines, 0 ignored, 186 matched, 2743 missed
[processed in 1.06 sec]

但是当我尝试重新加载/重新启动 fail2ban 以添加我的新过滤器时,我收到如下消息:

Found no accessible config files for 'filter.d/motion-auth.conf' under /etc/fail2ban
 Unable to read the filter 'motion-auth.conf'
 Errors in jail 'motion-auth'. Skipping...
OK

有人知道我做错什么了吗?

答案1

来自 jail.conf 的手册页:

筛选

过滤器的名称——/etc/fail2ban/filter.d/ 中过滤器的文件名没有 .conf/.local 扩展名。仅可指定一个过滤器。

Fail2ban 可能正在寻找一个名为 的文件motion-auth.conf.conf

你的监狱应该是:

[motion-auth]

enabled = true
port     = 8008
filter = motion-auth
...

如果你的过滤器与/etc/fail2ban/filter.d/监狱名称匹配(比如这里motion-auth.conf[motion-auth]您不需要指定过滤器,这是默认值。

答案2

尝试删除该行:

过滤器=运动认证.conf

如果过滤器配置文件名与监狱标题相同,则没有必要(我认为......)

相关内容