我嘗試創建一個fail2ban 中的自訂監獄規則,但它永遠不會被應用。
我沒有找到這樣的官方文檔,我可能會錯過一些東西。
/etc/fail2ban/filter.d/expressjs.conf
[Definition]
failregex = .* from ip <HOST>
/etc/fail2ban/jail.conf
[express-js]
enabled = true
filter = expressjs
logpath = /var/log/expressjs/slowin-killer.log
maxretry = 5
bantime = 3600
findtime = 600
/var/log/expressjs/slowin-killer.log
[20-5-2017 20:49:57] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 20:57:19] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 20:59:20] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 21:12:47] Failed to authentificate user "[email protected]" from ip 127.0.0.1
[20-5-2017 21:16:9] Failed to authentificate user "[email protected]" from ip 127.0.0.1
沒有錯誤訊息,但監獄似乎處於活動狀態...
$ fail2ban-client status expressjs
Status for the jail: expressjs
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/expressjs/slowin-killer.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
奇怪的是,正規表示式沒問題......
fail2ban-regex /var/log/expressjs/slowin-killer.log /etc/fail2ban/filter.d/expressjs.conf
Running tests
=============
Use failregex filter file : expressjs, basedir: /etc/fail2ban
Use log file : /var/log/expressjs/slowin-killer.log
Use encoding : UTF-8
Results
=======
Failregex: 27 total
|- #) [# of hits] regular expression
| 1) [27] .* from ip <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [34] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [1] (?:DAY )?MON Day Year 24hour:Minute:Second(?:\.Microseconds)?
`-
Lines: 162 lines, 0 ignored, 27 matched, 135 missed
[processed in 0.01 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 135 lines
答案1
為了使過濾器正常工作,您缺少一些需要修復的東西:
- 在你的內部
expressjs.conf你已經設定了findtime = 600這maxretry = 5意味著在 10 分鐘(600 秒)的時間內你將需要有 5 次失敗的嘗試(正規表示式匹配)來產生自動阻止/拒絕 iptables 規則。jail.conf線上說明頁:
findtime time interval (in seconds) before the current time where failures will count towards a ban. maxretry number of failures that have to occur in the last findtime seconds to ban then IP.
查看您的日誌,您在此處貼上的日誌上的第一個日誌條目和最後一個日誌條目之間有超過 10 分鐘的時間(5 次嘗試)。第一個:20:49,最後一個:21:16
您的所有日誌都來自
127.0.0.1.如果您查看區塊jail.conf內部,[DEFAULT]您會發現ignoreip = 127.0.0.1/8預設配置。除非您更改了這一點,否則阻止本地主機位址是非常危險的,因為會破壞使用該位址進行內部通訊的其他軟體。您
expressjs.conf沒有datepattern =設定配置,因此,fail2ban 無法猜測日誌檔案的哪一部分是日期。從文件中取得一些範例/etc/fail2ban/filter.d,您會發現日期正規表示式,例如datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S或datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S。這裡的其他問題是您的日誌日期的「第二」部分在 sec < 10 上沒有尾隨零(例如:21:16:9在您的最後一個日誌上),這需要修復。
看看Fail2ban 官方 wiki取得範例並改進您的篩選器。你有很多事情需要解決。