我无法理解如何编写正则表达式来捕获 nginx 网络服务器上的探测尝试。
我想制作一个过滤器来捕获点击某些文件(按名称)和/或 php 错误的网站。
我的日志文件示例如下:
2023/11/04 14:40:26 [error] 1341#1341: *46805 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 194.113.235.169, server: www.server.org, request: "GET /index2.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9999", host: "www.server.org", referrer: "https://www.server.org/index2.php"
我正在使用正则表达式构建器并想出了以下字符串:
\bPrimary|\bscript|\bunknown
这与该短语匹配。
我如何将其构建到 fail2ban 过滤器中?
Logwatch 还会向我发送一份很好的错误摘要,我希望能够有选择地将其添加到过滤器中。
Requests with error response codes
400 Bad Request
null: 60 Time(s)
\xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x ... x09\xC0\x14\xC0: 11 Time(s)
*: 7 Time(s)
/: 6 Time(s)
google.com:443: 2 Time(s)
$\x11\xA2\x8D*^\xB5\xBB\x1D: 1 Time(s)
)Dxx\x1D'\xB7\x00\x00: 1 Time(s)
,c(\x0B\xF1: 1 Time(s)
/.env: 1 Time(s)
/api/v4/cloud/subscription/self-serve-status: 1 Time(s)
/basic_status: 1 Time(s)
/manager/html: 1 Time(s)
/manager/text/list: 1 Time(s)
/nginx_status: 1 Time(s)
/nginx_stub: 1 Time(s)
/private/api/v1/service/premaster: 1 Time(s)
/status: 1 Time(s)
/stub_status: 1 Time(s)
4\xE8%\x98w4\x0Bcry\xAA%\x82r\x0B&\x8B\x9D: 1 Time(s)
LM: 1 Time(s)
\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x ... x00\x00\x00\x00: 1 Time(s)
\x11\x97e\xDC\x0CD\xBA\xDFS\x00\x00*\xC0+\ ... xA8\xCC\xAA\xC0: 1 Time(s)
\xC0((+\x9B<8\xFA: 1 Time(s)
`\x0B!\xCE,\xD5}L7/nh&\x08+\xAB\xCA: 1 Time(s)
mstshash=Administr: 1 Time(s)
404 Not Found
/wp-content/plugins/WordPressCore/include.php: 7 Time(s)
/wp-content/plugins/core-plugin/include.php: 4 Time(s)
/wp-content/plugins/include.php: 4 Time(s)
/wp-content/themes/include.php: 4 Time(s)
/wp-includes/images/include.php: 4 Time(s)
/wp-includes/widgets/include.php: 4 Time(s)
/%25: 3 Time(s)
//wp-content/plugins/seoplugins/mar.php: 3 Time(s)
//wp-content/themes/seotheme/db.php?u: 3 Time(s)
//wp-content/themes/seotheme/mar.php: 3 Time(s)
/?author=2: 3 Time(s)
/admin/plugins/plupload/examples/upload.php: 3 Time(s)
/api/v4/emoji/name/%F0%9F%98%86: 3 Time(s)
/wp-content/themes/sketch/404.php: 3 Time(s)
/wp-login.php: 3 Time(s)
/.index.php: 2 Time(s)
/99vt: 2 Time(s)
/Res/login.html: 2 Time(s)
/aaaaaaaaaaaaaaaaaaaaaaaaaqr: 2 Time(s)
/actuator/gateway/routes: 2 Time(s)
/backup/: 2 Time(s)
/blog/: 2 Time(s)
/new/: 2 Time(s)
/old/: 2 Time(s)
/owa/auth/x.js: 2 Time(s)
/sitemap: 2 Time(s)
/sitemap.txt: 2 Time(s)
/sitemap.xml: 2 Time(s)
/style.php?sig=update&domain=51.79.124.111: 2 Time(s)
/temp/: 2 Time(s)
/test/: 2 Time(s)
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php: 2 Time(s)
/webui/: 2 Time(s)
/wordpress/: 2 Time(s)
/wp-content/plugins/drag-and-drop-multiple ... -upload-cf7.css: 2 Time(s)
/wp-content/plugins/wp-meta-and-date-remov ... js/inspector.js: 2 Time(s)
/wp-content/themes/seotheme/db.php?u: 2 Time(s)
/wp/: 2 Time(s)
/.git/config: 1 Time(s)
/.well-known/: 1 Time(s)
/.well-knownold/: 1 Time(s)
//wp-content/plugins/WordPressCore/include.php: 1 Time(s)
//wp-content/plugins/fix/up.php: 1 Time(s)
/99vu: 1 Time(s)
/?author=3: 1 Time(s)
/?author=4: 1 Time(s)
/ACio: 1 Time(s)
/KjDKeIsQhh.php: 1 Time(s)
/Login.jsp: 1 Time(s)
/Telerik.Web.UI.WebResource.axd?type=rau: 1 Time(s)
/ab2g: 1 Time(s)
/ab2h: 1 Time(s)
/actuator/health: 1 Time(s)
/admin/: 1 Time(s)
/admin/ckeditor/kcfinder/upload.php: 1 Time(s)
/admin/events/lib/external/responsive_file ... ager/dialog.php: 1 Time(s)
/admin/filemanager/dialog.php: 1 Time(s)
/admin/js/kcfinder/upload.php: 1 Time(s)
/admin/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/ads.txt: 1 Time(s)
/api/session/properties: 1 Time(s)
/app/rest/users/id:1/tokens/RPC2: 1 Time(s)
/assets/elfinder/elfinder.html: 1 Time(s)
/assets/filemanager/dialog.php: 1 Time(s)
/assets/js/kcfinder/upload.php: 1 Time(s)
/assets/plugins/elfinder/elfinder.html: 1 Time(s)
/assets/plugins/kcfinder/upload.php: 1 Time(s)
/assets/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/assets/scripts/filemanager/dialog.php: 1 Time(s)
/autodiscover/autodiscover.json?@zdi/Powershell: 1 Time(s)
/autodiscover/autodiscover.json?a..foo.var ... ol=%50owershell: 1 Time(s)
/backup: 1 Time(s)
/basic_status: 1 Time(s)
/bc: 1 Time(s)
/bk: 1 Time(s)
/cf_scripts/scripts/ajax/ckeditor/ckeditor.js: 1 Time(s)
/cgi-bin/authLogin.cgi: 1 Time(s)
/cgi-bin/config.exp: 1 Time(s)
/cgi-bin/vitogate.cgi: 1 Time(s)
/cm3Z: 1 Time(s)
/cms/tinymce/filemanager/filemanager/dialog.php: 1 Time(s)
/cms/vendor/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/config.json: 1 Time(s)
/dview8/api/usersByLevel: 1 Time(s)
/editor/filemanager/dialog.php: 1 Time(s)
/favicon-32x32.png: 1 Time(s)
/file-manager/: 1 Time(s)
/file-manager/backend/makefile: 1 Time(s)
/file-manager/backend/permissions: 1 Time(s)
/file-manager/backend/text: 1 Time(s)
/geoserver/web/: 1 Time(s)
/graph_view.php?action=tree_content&node=1 ... %2810%29%3B--+-: 1 Time(s)
/hejwjpam.php?Fox=d3wL7: 1 Time(s)
/home: 1 Time(s)
/humans.txt: 1 Time(s)
/index.php: 1 Time(s)
/index2.php: 1 Time(s)
/info.php: 1 Time(s)
/js/fileManager/filemanager/dialog.php: 1 Time(s)
/js/kcfinder/upload.php: 1 Time(s)
/js/tinymce4/plugins/filemanager/dialog.php: 1 Time(s)
/lib/filemanager/dialog.php: 1 Time(s)
/main: 1 Time(s)
/media/filemanager/dialog.php: 1 Time(s)
/new: 1 Time(s)
/nginx_status: 1 Time(s)
/nginx_stub: 1 Time(s)
/old: 1 Time(s)
/owa/: 1 Time(s)
/owa/auth.owa: 1 Time(s)
/plugins/content/apismtp/apismtp.php?test=hello: 1 Time(s)
/plugins/kcfinder/upload.php: 1 Time(s)
/plugins/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/po-admin/filemanager/dialog.php: 1 Time(s)
/po-content/filemanager/dialog.php: 1 Time(s)
/public/filemanager/dialog.php: 1 Time(s)
/public/js/libraries/filemanager/dialog.php: 1 Time(s)
/public/scripts/filemanager/dialog.php: 1 Time(s)
/remote/login: 1 Time(s)
/resources/plugins/tiny_mce/plugins/filemanager/dialog.php: 1 Time(s)
/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/server-status: 1 Time(s)
/showLogin.cc: 1 Time(s)
/solr/: 1 Time(s)
/static/historypage.js: 1 Time(s)
/sugar_version.json: 1 Time(s)
/t4: 1 Time(s)
/telescope/requests: 1 Time(s)
/tinymce/filemanager/dialog.php: 1 Time(s)
/tutor/filter?searched_word&searched_tutio ... ed_duration[]=0: 1 Time(s)
/vendor/phpunit/phpunit/phpunit.xml: 1 Time(s)
/version: 1 Time(s)
/webfig/: 1 Time(s)
/wordpress: 1 Time(s)
/wp: 1 Time(s)
/wp-admin/: 1 Time(s)
/wp-admin/css/colors/blue/blue.php?wall=ZW ... EJvdCI7Pz4nKTs=: 1 Time(s)
/wp-config._1: 1 Time(s)
/wp-config._2: 1 Time(s)
/wp-config._backup: 1 Time(s)
/wp-config.back: 1 Time(s)
/wp-config.php__: 1 Time(s)
/wp-config.php______: 1 Time(s)
/wp-config.php__olds: 1 Time(s)
/wp-config.php_backup: 1 Time(s)
/wp-config.php_old2003: 1 Time(s)
/wp-config.php_old2004: 1 Time(s)
/wp-config.php_old2005: 1 Time(s)
/wp-config.php_old2007: 1 Time(s)
/wp-config.php_old2009: 1 Time(s)
/wp-config.php_old2010: 1 Time(s)
/wp-config.php_old2011: 1 Time(s)
/wp-config.php_old2016: 1 Time(s)
/wp-config.php_old2018: 1 Time(s)
/wp-config.php_old2019: 1 Time(s)
/wp-config.php_old2020: 1 Time(s)
/wp-config.php_old2022: 1 Time(s)
/wp-config.php_old2023: 1 Time(s)
/wp-config.php_original: 1 Time(s)
/wp-config.phpc: 1 Time(s)
/wp-config.phpd: 1 Time(s)
/wp-config.phpn: 1 Time(s)
/wp-config.phpnew: 1 Time(s)
/wp-config.phpold: 1 Time(s)
/wp-config.phps: 1 Time(s)
/wp-config.php~1: 1 Time(s)
/wp-config.php~bk: 1 Time(s)
/wp-config.prod: 1 Time(s)
/wp-config.prod.php.txt: 1 Time(s)
/wp-config.production: 1 Time(s)
/wp-config.rej: 1 Time(s)
/wp-config.sav: 1 Time(s)
/wp-config.save: 1 Time(s)
/wp-config.save.1: 1 Time(s)
/wp-config.save.2: 1 Time(s)
/wp-config.stage: 1 Time(s)
/wp-config.sublime-project: 1 Time(s)
/wp-config.swn: 1 Time(s)
/wp-config.swo: 1 Time(s)
/wp-config.tar: 1 Time(s)
/wp-config.temp: 1 Time(s)
/wp-config.templ: 1 Time(s)
/wp-config.tmp: 1 Time(s)
/wp-config.uk: 1 Time(s)
/wp-config.un~: 1 Time(s)
/wp-config.us: 1 Time(s)
/wp-config.vb: 1 Time(s)
/wp-config.vbproj: 1 Time(s)
/wp-config.wp-config.php.swo: 1 Time(s)
/wp-config_good: 1 Time(s)
/wp-content/: 1 Time(s)
/wp-content/plugins/apikey/apikey.php?test=hello: 1 Time(s)
/wp-content/plugins/media-library-assistan ... ite/patrowl.svg: 1 Time(s)
/wp-content/plugins/media-library-assistant/readme.txt: 1 Time(s)
/wp-content/plugins/wordpresscore/include.php: 1 Time(s)
/wp-content/plugins/wp-stats-manager/includes/: 1 Time(s)
/wp-content/plugins/wp-stats-manager/languages/: 1 Time(s)
/wp-content/plugins/wp-stats-manager/notifications.php: 1 Time(s)
/wp-content/themes/themify-ultra/style.css: 1 Time(s)
/wp-content/themes/twentytwentythree/index.php: 1 Time(s)
/wp-content/upgrade/: 1 Time(s)
/wp-content/upgrade/upfile.php: 1 Time(s)
/wp-content/uploads/: 1 Time(s)
/wp-includes/: 1 Time(s)
/wp-includes/autoload_classmap.php: 1 Time(s)
/wp-json/wp/v2/users/2: 1 Time(s)
/wp-json/wp/v2/users/4: 1 Time(s)
/wp-json/wp/v2/users/5: 1 Time(s)
/wp-plain.php: 1 Time(s)
错误日志条目示例:
31.208.250.224 - - [04/Nov/2023:20:44:57 -0400] "GET /wp-config._backup HTTP/1.1" 404 5056 "https://www.server.blog//wp-config._backup" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
总结一下:
- 我希望获得帮助,制作一个过滤器来捕获“主要脚本未知”
- 我希望获得帮助,制作一个过滤器来捕获探测服务器的 404 错误,从 wp-config 开始,并在列表增长时添加/扩展列表(例如 .env 文件)
- 有没有关于如何学习正则表达式黑魔法的好的参考资料?我浏览过各种网站,但还是不明白所有的魔法。
我将非常感激任何帮助。谢谢。
答案1
failregex = ^.*, client: <HOST>.*(Credit-private.php).*$
^.*, client: <HOST>.*(admin.php).*$
^.*, client: <HOST>.*(fm1.php).*$
^.*, client: <HOST>.*(M1.php).*$
^.*, client: <HOST>.*(style.php).*$
^.*, client: <HOST>.*(wp-blog.php).*$
上述正则表达式模式将找到有问题的条目。但是,它似乎无法在日志消息的某个部分找到它,至少根据正则表达式测试器的说法是这样。