我正在尝试创建一个匹配的fail2ban过滤器成功的身份验证。示例日志条目如下所示:
[2023-05-25 18:41:00] VERBOSE[26149] res_pjsip/pjsip_options.c: Contact user/sip:[email protected]:47682;transport=ws;x-ast-orig-host=b0cnalpndgjm.invalid:0 is now Reachable. RTT: 27.843 msec
我并不精通创建 fail2ban 过滤器,但这是我的尝试(我首先将 filter.d 中的 asterisk.conf 复制到 asterisk-whitelist.conf 以用作模板,然后更改 failregex 以尝试匹配上述行):
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Contact [A-Za-z0-9]+/sip:[A-Za-z0-9]+@<HOST>:[0-9]+;transport=[A-Za-z]+;[A-Za-z]+=[A-Za-z0-9\.]+:0 is now Reachable\. RTT: [0-9]*\.[0-9]+ msec$
ignoreregex =
以上方法不起作用。我不太清楚如何解决此问题,或者需要进行哪些更改才能匹配。结果fail2ban-regex /var/log/asterisk/full asterisk-whitelist.conf显示 0 个匹配项。
已更新,在已接受答案的帮助下添加了最终解决方案。以下是最终对我有用的配置:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING|VERBOSE)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^.*Contact .*\/sip[s]?:.*@<HOST>.* is now Reachable.*
ignoreregex =
答案1
你的正则表达式太复杂且错误,请尝试这个failregex = ^.*Contact .*\/sip:[^@]+@<HOST>.* is now Reachable.*
你可以用以下方法测试fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk-whitelist.conf
编辑:让我们尝试别的东西,让我们用这个conf替换的内容asterisk-whitelist.conf,它应该与您提供的日志相匹配。
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\] %(__pid_re)s res_pjsip/pjsip_options\.c: Contact user/sip:[^@]+@<HOST>:\d+;transport=[\w-]+;x-ast-orig-host=[\w.-]+:0 is now Reachable\. RTT: \d+\.\d+ msec$
ignoreregex =