esse problema me deixa louco. Configurei uma prisão para evitar postagens http excessivas em meu servidor web.
Parece que o servidor fail2ban aceita minha nova prisão, mas nada entra em vigor no servidor fail2ban.
A seguir estão parte da minha configuração jail.local (sshd em fail2ban funciona perfeitamente, aliás).
#global setting
bantime = 1h
findtime = 1h
maxretry = 5
backend = systemd
banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[webpost]
enabled = true
filter = webpost
logpath = /var/log/message
A seguir está o webpost.conf na pasta filter.d/:
[Definition]
failregex = ^.*myserver python3.6\[.*\]: <HOST> - - \[.*\] ".*POST \/enquiry HTTP.*".*-$
ignoreregex =
datepattern = ^%%b %%d %%H:%%M:%%S
O teste regex no fail2ban está funcionando, a saída está abaixo:
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/webpost.conf
Running tests
=============
Use failregex filter file : webpost, basedir: /etc/fail2ban
Use datepattern : ^%b %d %H:%M:%S : ^MON Day 24hour:Minute:Second
Use log file : /var/log/messages
Use encoding : UTF-8
Results
=======
Failregex: 115 total
|- #) [# of hits] regular expression
| 1) [115] ^.*myserver python3.6\[.*\]: <HOST> - - \[.*\] ".*POST \/enquiry HTTP.*".*-$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [115989] ^MON Day 24hour:Minute:Second
`-
Lines: 115989 lines, 0 ignored, 115 matched, 115874 missed
[processed in 2.65 sec]
O log do fail2ban também mostra tudo carregado e funcionando bem.
2023-09-07 17:27:09,868 fail2ban.filtersystemd [969]: NOTICE [webpost] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2023-09-07 17:27:10,061 fail2ban.filtersystemd [969]: INFO [webpost] Jail is in operation now (process new journal entries)
2023-09-07 17:27:10,063 fail2ban.jail [969]: INFO Jail 'webpost' started
Depois de enviar muitas solicitações de postagem http para o meu site e parece que o fail2ban não detectou nenhuma postagem http de /var/log/message. O fail2ban detecta apenas as tentativas de sshd. NENHUM webpost detecta nada!
2023-09-07 17:36:46,206 fail2ban.filter [969]: INFO [sshd] Found 180.101.88.228 - 2023-09-07 17:36:45
2023-09-07 17:36:48,739 fail2ban.filter [969]: INFO [sshd] Found 180.101.88.228 - 2023-09-07 17:36:48
2023-09-07 17:36:52,034 fail2ban.filter [969]: INFO [sshd] Found 180.101.88.228 - 2023-09-07 17:36:51
2023-09-07 17:36:55,241 fail2ban.filter [969]: INFO [sshd] Found 180.101.88.228 - 2023-09-07 17:36:54
2023-09-07 17:37:57,290 fail2ban.filter [969]: INFO [sshd] Found 180.101.88.228 - 2023-09-07 17:37:56
2023-09-07 17:37:57,769 fail2ban.actions [969]: NOTICE [sshd] Ban 180.101.88.228
2023-09-07 17:37:57,795 fail2ban.filter [969]: INFO [pam-generic] Found 180.101.88.228 - 2023-09-07 17:37:57
2023-09-07 17:37:59,280 fail2ban.filter [969]: INFO [sshd] Found 180.101.88.228 - 2023-09-07 17:37:58
Não sei onde está o problema.
Responder1
fail2ban.filtersystemd [969]: NOTICE [webpost] Jail started without 'journalmatch' set...
Seu padrão backend
parece ser systemd
, o que significa que ele monitoraria o diário do systemd e não o caminho do log.
Basta adicionar backend = auto
à prisão:
[webpost]
...
logpath = /var/log/message
+ backend = auto