我正在尝试设置 fail2ban 来监控我们的 traefik 访问日志,但是尽管 fail2ban-regex 显示了很多匹配,但我并没有让 fail2ban 实际上禁止任何内容。
我还为 fail2ban 指定了 loglevel = HEAVYDEBUG,但它没有将任何特殊内容记录到我的 logtarget (/var/log/fail2ban.log)
我检查了 pyinotify 是否已安装。我还尝试过切换到轮询后端,但结果都一样。
fail2ban version: 0.11.1-1
Ubuntu version: Ubuntu 20.04.6 LTS
这是我从 fail2ban-regex 获得的输出:
Use failregex filter file : wordpress-general-forceful-browsing, basedir: /etc/fail2ban
Use datepattern : "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
Use log file : /opt/traefik/logs/access.log
Use encoding : UTF-8
Results
=======
Failregex: 488 total
|- #) [# of hits] regular expression
| 1) [488] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-CONTAINER>.*</F-CONTAINER>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-
Ignoreregex: 128 total
|- #) [# of hits] regular expression
| 1) [128] ^{"ClientAddr":"<F-CLIENTADDR>.*</F-CLIENTADDR>","ClientHost":"<HOST>","ClientPort":"<F-CLIENTPORT>.*</F-CLIENTPORT>","ClientUsername":"<F-CLIENTUSERNAME>.*</F-CLIENTUSERNAME>","DownstreamContentSize":<F-DOWNSTREAMCONTENTSIZE>.*</F-DOWNSTREAMCONTENTSIZE>,"DownstreamStatus":<F-DOWNSTREAMSTATUS>.*</F-DOWNSTREAMSTATUS>,"Duration":<F-DURATION>.*</F-DURATION>,"OriginContentSize":<F-ORIGINCONTENTSIZE>.*</F-ORIGINCONTENTSIZE>,"OriginDuration":<F-ORIGINDURATION>.*</F-ORIGINDURATION>,"OriginStatus":(405|404|403|402|401),"Overhead":<F-OVERHEAD>.*</F-OVERHEAD>,"RequestAddr":"<F-REQUESTADDR>.*</F-REQUESTADDR>","RequestContentSize":<F-REQUESTCONTENTSIZE>.*</F-REQUESTCONTENTSIZE>,"RequestCount":<F-REQUESTCOUNT>.*</F-REQUESTCOUNT>,"RequestHost":"<F-REQUESTHOST>.*</F-REQUESTHOST>","RequestMethod":"<F-REQUESTMETHOD>.*</F-REQUESTMETHOD>","RequestPath":"<F-REQUESTPATH>.*(\.png|\.webp|\.jpe?g|\.gif|\.mp3|\.mov|\.mp4|\.json|\.map|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?</F-REQUESTPATH>","RequestPort":"<F-REQUESTPORT>.*</F-REQUESTPORT>","RequestProtocol":"<F-REQUESTPROTOCOL>.*</F-REQUESTPROTOCOL>","RequestScheme":"<F-REQUESTSCHEME>.*</F-REQUESTSCHEME>","RetryAttempts":<F-RETRYATTEMPTS>.*</F-RETRYATTEMPTS>,.*"StartLocal":"<F-STARTLOCAL>.*</F-STARTLOCAL>","StartUTC":"<F-STARTUTC>.*</F-STARTUTC>","TLSCipher":"<F-TLSCIPHER>.*</F-TLSCIPHER>","TLSVersion":"<F-TLSVERSION>.*</F-TLSVERSION>","entryPointName":"<F-ENTRYPOINTNAME>.*</F-ENTRYPOINTNAME>","level":"<F-LEVEL>.*</F-LEVEL>","msg":"<F-MSG>.*</F-MSG>",("request_User-Agent":"<F-USERAGENT>.*</F-USERAGENT>",){0,1}?"time":"<F-TIME>.*</F-TIME>"}$
`-
Date template hits:
|- [# of hits] date format
| [24435] "StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",
`-
Lines: 24435 lines, 128 ignored, 488 matched, 23819 missed
[processed in 19.73 sec]
这是我的输出fail2ban-client status
Status
|- Number of jail: 3
`- Jail list: sshd, wordpress-auth, wordpress-general
这是我的输出/var/log/fail2ban.log
2023-04-28 15:21:29,943 fail2ban.server [1831210]: INFO Starting Fail2ban v0.11.1
2023-04-28 15:21:29,943 fail2ban.server [1831210]: INFO Daemon started
2023-04-28 15:21:29,943 fail2ban.observer [1831210]: INFO Observer start...
2023-04-28 15:21:29,951 fail2ban.database [1831210]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-04-28 15:21:29,952 fail2ban.jail [1831210]: INFO Creating new jail 'sshd'
2023-04-28 15:21:29,962 fail2ban.jail [1831210]: INFO Jail 'sshd' uses pyinotify {}
2023-04-28 15:21:29,965 fail2ban.jail [1831210]: INFO Initiated 'pyinotify' backend
2023-04-28 15:21:29,967 fail2ban.filter [1831210]: INFO maxLines: 1
2023-04-28 15:21:29,986 fail2ban.filter [1831210]: INFO maxRetry: 5
2023-04-28 15:21:29,986 fail2ban.filter [1831210]: INFO findtime: 600
2023-04-28 15:21:29,986 fail2ban.actions [1831210]: INFO banTime: 600
2023-04-28 15:21:29,986 fail2ban.jail [1831210]: INFO Set banTime.increment = True
2023-04-28 15:21:29,986 fail2ban.jail [1831210]: INFO Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,986 fail2ban.jail [1831210]: INFO Set banTime.rndtime = 2048
2023-04-28 15:21:29,987 fail2ban.filter [1831210]: INFO encoding: UTF-8
2023-04-28 15:21:29,987 fail2ban.filter [1831210]: INFO Added logfile: '/var/log/auth.log' (pos = 461226, hash = bdb63f55b88b6f0ed320e1dc41b35bdf05ceb27e)
2023-04-28 15:21:29,988 fail2ban.jail [1831210]: INFO Creating new jail 'wordpress-general'
2023-04-28 15:21:29,988 fail2ban.jail [1831210]: INFO Jail 'wordpress-general' uses pyinotify {}
2023-04-28 15:21:29,991 fail2ban.jail [1831210]: INFO Initiated 'pyinotify' backend
2023-04-28 15:21:29,997 fail2ban.datedetector [1831210]: INFO date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:29,997 fail2ban.filter [1831210]: INFO maxRetry: 5
2023-04-28 15:21:29,997 fail2ban.filter [1831210]: INFO findtime: 60
2023-04-28 15:21:29,998 fail2ban.actions [1831210]: INFO banTime: 600
2023-04-28 15:21:29,998 fail2ban.jail [1831210]: INFO Set banTime.increment = True
2023-04-28 15:21:29,998 fail2ban.jail [1831210]: INFO Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:29,998 fail2ban.jail [1831210]: INFO Set banTime.rndtime = 2048
2023-04-28 15:21:29,998 fail2ban.filter [1831210]: INFO encoding: UTF-8
2023-04-28 15:21:29,998 fail2ban.filter [1831210]: INFO Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:29,999 fail2ban.jail [1831210]: INFO Creating new jail 'wordpress-auth'
2023-04-28 15:21:29,999 fail2ban.jail [1831210]: INFO Jail 'wordpress-auth' uses pyinotify {}
2023-04-28 15:21:30,002 fail2ban.jail [1831210]: INFO Initiated 'pyinotify' backend
2023-04-28 15:21:30,006 fail2ban.datedetector [1831210]: INFO date pattern `'"StartLocal":"%Y-%m-%d[T]%H:%M:%S\\.%f\\d*[Z](%z)?",'`: `"StartLocal":"Year-Month-Day[T]24hour:Minute:Second\.Microseconds\d*[Z](Zone offset)?",`
2023-04-28 15:21:30,006 fail2ban.filter [1831210]: INFO maxRetry: 5
2023-04-28 15:21:30,006 fail2ban.filter [1831210]: INFO findtime: 60
2023-04-28 15:21:30,006 fail2ban.actions [1831210]: INFO banTime: 600
2023-04-28 15:21:30,006 fail2ban.jail [1831210]: INFO Set banTime.increment = True
2023-04-28 15:21:30,006 fail2ban.jail [1831210]: INFO Set banTime.multipliers = 1 5 30 60 300 720 1440 2880
2023-04-28 15:21:30,006 fail2ban.jail [1831210]: INFO Set banTime.rndtime = 2048
2023-04-28 15:21:30,006 fail2ban.filter [1831210]: INFO encoding: UTF-8
2023-04-28 15:21:30,007 fail2ban.filter [1831210]: INFO Added logfile: '/opt/traefik/logs/access.log' (pos = 20143198, hash = c29bd2d433a5900e0dc59f30ce688fdcd73e1b7e)
2023-04-28 15:21:30,008 fail2ban.jail [1831210]: INFO Jail 'sshd' started
2023-04-28 15:21:30,009 fail2ban.jail [1831210]: INFO Jail 'wordpress-general' started
2023-04-28 15:21:30,010 fail2ban.jail [1831210]: INFO Jail 'wordpress-auth' started