用于apache日志的fail2ban正则表达式模式

时间:2014-03-19 19:46:07

标签: regex linux iptables

无法使用正则表达式模式与fail2ban一起使用。我们的服务器受到sqlmap渗透测试的打击,我希望能够在记录这些IP时禁用它们。从我看到的其他示例来看,似乎我不必尝试匹配日志条目的每个部分,但只能搜索单词或字符串。似乎无法使模式正确。任何帮助都很高兴。感谢

当前过滤器:

# Fail2Ban configuration file
#
# Bans any scanning with the tool sqlmap.
#

[Definition]
# Option:  failregex
# Notes.:  Regexp to match the use of sqlmap.
# Values:  TEXT
#
failregex = <HOST> [[] client []] (sqlmap)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

示例日志条目:

[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:51 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:53 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:55 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:58 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:08:59 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:01 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:03 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:05 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:06 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:08 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:10 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:11 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:13 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:15 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:16 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:18 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:19 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:21 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:23 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:25 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:27 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:29 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:31 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:33 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:35 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:37 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:39 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:41 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:43 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:45 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"
[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:46 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"

1 个答案:

答案 0 :(得分:2)

您需要考虑要将其归类为攻击的行为。依赖sqlmap用户代理是一个坏主意,因为这可以通过命令行参数轻松更改。它可能会保护您免受笔测试服务的侵害,但不会对抗真正的攻击者。这正是你想要避免的情况!

理想情况下,如果PHP脚本无法解析其参数或者怀疑是注入攻击,那么您应该修改PHP脚本以记录特殊消息。然后,您可以编写正则表达式以匹配该日志条目,并以低重试次数禁止攻击者。否则,您只能匹配HTTP状态403(禁止)。也可能值得查看其他HTTP错误代码。

示例日志行:

[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:46 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"

示例过滤器:

failregex = []] <HOST> .*HTTP/[0-9.]+" 403

这将匹配您网站上的所有HTTP 403错误。 []]]末尾的文字[www.domain.com]相匹配,因此您的示例中HOST将为192.168.2.12

您可以在命令行上使用fail2ban-regex来进一步开发正则表达式以满足您的需求:

fail2ban-regex '[www.domain.com] 192.168.2.12 - - [19/Mar/2014:05:09:35 -0600] - "POST /lost_password.php HTTP/1.1" 403 317 "-" "sqlmap/1.0-dev (http://sqlmap.org)"' '[]] <HOST> .*HTTP/[0-9.]+" 403'
相关问题
最新问题