為fail2ban失敗創建自己的過濾器

tag-icon tag-icon logging fail2ban filter
為fail2ban失敗創建自己的過濾器

我正在 kubernetes 中玩fail2ban。為此,我建立了一個建立虛假日誌訊息的 pod: 2021-08-04 18:33:13 驗證失敗 15.15.15.15 我建立了一個自訂篩選器,以測試 failed2ban 是否正常運作。我首先嘗試使用包含 10 行日誌訊息的檔案來使用fail2ban-regex util,並得到以下輸出:

Running tests
=============

Use   failregex filter file : test, basedir: /etc/fail2ban
Use         log file : /logs.txt
Use         encoding : UTF-8


Results
=======

Failregex: 10 total
|-  #) [# of hits] regular expression
|   1) [10] \sAuthentication failed\s<HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [10] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 10 lines, 0 ignored, 10 matched, 0 missed
[processed in 0.12 sec]

但是當我對包含連續日誌的文件嘗試相同的過濾器時,我收到此錯誤:

Running tests
=============

Use   failregex filter file : test, basedir: /etc/fail2ban
Use         log file : /logs/kubernetes.logs
Use         encoding : UTF-8

Traceback (most recent call last):
 File "/usr/bin/fail2ban-regex", line 34, in <module>
   exec_command_line()
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 836, in exec_command_line
   if not fail2banRegex.start(args):
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 776, in start
   self.process(test_lines)
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 584, in process
   line_datetimestripped, ret, is_ignored = self.testRegex(line)
 File "/usr/lib/python3.8/site-packages/fail2ban/client/fail2banregex.py", line 456, in testRegex
   found = self._filter.processLine(line, date)
 File "/usr/lib/python3.8/site-packages/fail2ban/server/filter.py", line 613, in processLine
   timeMatch = self.dateDetector.matchTime(line)
 File "/usr/lib/python3.8/site-packages/fail2ban/server/datedetector.py", line 368, in matchTime
   (line[distance] == self.__lastPos[2] and not self.__lastPos[2].isalnum())
IndexError: string index out of range

當我啟動fail2ban過濾器時,我沒有禁止IP,所以我想,我的過濾器不起作用,但我找不到錯誤。

過濾器.conf:

[Definition]

failregex = \sAuthentication failed\s<HOST>

答案1

這是已知的錯誤(已在中間修復),請參閱https://github.com/fail2ban/fail2ban/issues/3020

但實際原因是日期模式不精確,時間戳記不完整(預設日期模式集匹配)或某些行根本沒有時間戳。解決方案將是更新或(更好)盡可能精確的日期模式,並且在最好的情況下錨定在開始(或結束)。

相關內容