使用此配置,服务(fail2ban
)启动时,日志文件会记录错误尝试,但仍不会对中的尝试进行计数fail2ban-client
。我怀疑正则表达式存在问题,但这是服务fail2ban
启动时使用的唯一正则表达式。我尝试了不同文章中的几种方法,包括来自此站点的一篇文章和另一篇文章,但服务无法启动。如果我没有以适当的方式组织问题,我深表歉意。
fail2ban-client status samba
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/samba/auth_json_audit.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
和cat /var/log/samba/auth_json_audit.log
{“timestamp”:“2023-09-29T04:25:46.305161-0400”,“type”:“身份验证”,“身份验证”:{“version”:{“major”:1,“minor”:2},“eventId”:4625,“logonId”:“0”,“logonType”:3,“status”:“NT_STATUS_NO_SUCH_USER”,“localAddress”:“ipv4:192.168.2.238:445”,“remoteAddress”:“ipv4:192.168.2.196:21997”,“serviceDescription”:“SMB2”,“authDescription”:null,“clientDomain”:“。”,“clientAccount”:“wronguser”,“workstation”:“HOME”,“becameAccount”:null,“becameDomain”:null,“becameSid”:null,“mappedAccount”: “wronguser”、 “mappedDomain”:“。”、 “netlogonComputer”:null、 “netlogonTrustAccount”:null、 “netlogonNegotiateFlags”:“0x00000000”、“netlogonSecureChannelType”:0、 “netlogonTrustAccountSid”:null、 “passwordType”:“NTLMv2”、“duration”:2776}}
和cat /etc/fail2ban/jail.d/samba.conf
[samba]
enabled = true
port = 88,135,139,389,445,464,636,3328,3329
filter = samba
logpath = /var/log/samba/auth_json_audit.log
maxretry = 5
findtime = 600
bantime = 600
我在一个论坛中找到了此正则表达式,该正则表达式可以启动服务,但不能注册。这是/etc/fail2ban/filter.d/samba.conf
:
[Definition]
#failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:<PORT>"
failregex = NT_STATUS_NO_SUCH_USER.*remoteAddress": "ipv4:<HOST>:<PORT>" - not working too
这是我的/etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = rocky-8
security = user
map to guest = bad user
dns proxy = no
ntlm auth = true
encrypt passwords = yes
guest account = nobody
socket options = TCP_NODELAY IPTOS_LOWDELAY
#log file = /var/log/samba/log.%m
max log size = 1000
#hosts allow = 192.168.1. 127.
#hosts deny = ALL
log level = auth_json_audit:3@/var/log/samba/auth_json_audit.log
答案1
您的两个 RE 都无法工作,因为它们会查找包含 的序列<HOST>:<PORT>
。如果您重新阅读文档或一些现有的过滤器文件本身,您会发现<HOST>
这样的解释:
该标签
<HOST>
可用于标准 IP/主机名匹配,并且只是(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
但是,没有类似的定义,<PORT>
所以它会尝试匹配文字的六个字符串。
您的日志文件行均不包含该字符串<PORT>
,因此没有任何匹配项。您可以使用该fail2ban-regex
命令自行测试,这是创建或修改规则时推荐的做法。如果没有输出,则说明您的 RE 不匹配。
请尝试以下定义,如下所示参考文章:
[Definition]
failregex = NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:"
failregex = NT_STATUS_NO_SUCH_USER.*remoteAddress": "ipv4:<HOST>:"
测试命令可以是:
fail2ban-regex --print-all-matched /var/log/samba/auth_json_audit.log 'NT_STATUS_WRONG_PASSWORD.*remoteAddress": "ipv4:<HOST>:\d+"'
fail2ban-regex --print-all-matched /var/log/samba/auth_json_audit.log 'NT_STATUS_NO_SUCH_USER.*remoteAddress": "ipv4:<HOST>:\d+"'
fail2ban
您可能需要重新阅读过滤器的文档https://fail2ban.readthedocs.io/en/latest/filters.html