Question

我使用的是fail2ban。出于某种原因，Fail2Ban拒绝编译我的正则表达式。这是我需要匹配的日志：

root@server1:/etc/fail2ban/filter.d# tail /var/log/apache2/error.log
[Sun Apr 20 10:40:05 2014] [error] [client 75.144.181.151] user root: authentication failure for "/phpmyadmin/": Password Mismatch
[Sun Apr 20 10:40:16 2014] [error] [client 75.144.181.151] user root: authentication failure for "/phpmyadmin/": Password Mismatch
[Sun Apr 20 10:40:38 2014] [error] [client 75.144.181.151] user haker not found: /phpmyadmin/
[Sun Apr 20 10:40:44 2014] [error] [client 75.144.181.151] user pentest not found: /phpmyadmin/

这是我的fail2ban filter.d 文件：

root@server1:/etc/fail2ban/filter.d# cat /etc/fail2ban/filter.d/phpmyadmin.conf
[Definition]
failregex = [client <HOST>;] user .*; not found: \/phpmyadmin\/|[client <HOST>;] user root: authentication failure for "\/phpmyadmin\/":
ignoreregex =

这是我上面文件中的正则表达式行：

[client <HOST>;] user .*; not found: \/phpmyadmin\/|[client <HOST>;] user root: authentication failure for "\/phpmyadmin\/":

不幸的是，fail2ban日志文件给出了关于正则表达式的错误：无法编译正则表达式..

root@server1:/etc/fail2ban# tail /var/log/fail2ban.log
2014-04-20 10:47:06,788 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2014-04-20 10:47:06,789 fail2ban.filter : INFO   Set maxRetry = 3
2014-04-20 10:47:06,789 fail2ban.filter : INFO   Set findtime = 600
2014-04-20 10:47:06,790 fail2ban.actions: INFO   Set banTime = 600
2014-04-20 10:47:06,790 fail2ban.filter : ERROR  Unable to compile regular expression '[client (?:::f{4,6}:)?(?P<host>[\w\-.^_]+);] user .*; not found: \/phpmyadmin\/|[client (?:::f{4,6}:)?(?P<host>[\w\-.^_]+);] user root: authentication failure for "\/phpmyadmin\/":'
2014-04-20 10:47:06,794 fail2ban.jail   : INFO   Jail 'ssh' started
2014-04-20 10:47:06,799 fail2ban.jail   : INFO   Jail 'pureftpd' started
2014-04-20 10:47:06,805 fail2ban.jail   : INFO   Jail 'phpmyadmin' started

我的正则表达式http://regex101.com/r/kU7tX3。这有什么问题？任何帮助表示赞赏。谢谢。

Answer 1

我会在评论中提出一个问题，但我无法添加评论：

因此，我尽力了解要求并给出答案。

要求：我认为您希望过滤所有包含的行＆＃34;＆＃34; / phpmyadmin /＆＃34;＆＃34;

的身份验证失败

您可以将正则表达式更改为以下内容：

failregex = .*authentication failure for "\/phpmyadmin\/"

你可能不得不逃避＆＃34;

如果没有正确理解，请添加评论.....

Fail2Ban正则表达式不匹配

1 个答案: