我尝试从xmlrpc.php ddos保护我的服务员。
我使用fail2ban,但我发现的正则表达式似乎没有问题。你能来看看:
这是日志:
Aug 2 17:33:11 myserver pound:my.web.site 188.209.49.38 - - [02 / Aug / 2015:17:33:11 +0200]" POST /xmlrpc.php HTTP / 1.0" 404 410"" " Mozilla / 5.0(兼容; Googlebot / 2.1; http://www.google.com/bot.html)"
8月2日16:27:49 myserver pound: (7fec610c5700)e503没有后端" POST /xmlrpc.php HTTP / 1.0"从 185.62.188.25
filter.d / xmlrpc.conf
[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
jail.local
[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/pound.log
bantime = 43600
maxretry = 2
和测试
fail2ban-regex /var/log/pound.log /etc/fail2ban/filter.d/xmlrpc.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/xmlrpc.conf
Use log file : /var/log/pound.log
Results
=======
Failregex
|- Regular expressions:
| [1] ^<HOST> .*POST .*xmlrpc\.php.*
|
`- Number of matches:
[1] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Sorry, no match
Look at the above section 'Running tests' which could contain important
information.
root@myserver:/etc/fail2ban#
有什么想法吗?
THKS
答案 0 :(得分:0)
我编辑了类型格式,所以我现在有了这种日志
Aug 3 06:25:51 ns111111 pound: 141.101.96.94 POST /xmlrpc.php HTTP/1.1 - HTTP/1.1 200 OK
所以我试过这个,没关系:
fail2ban-regex 'Aug 3 06:25:51 ns111111 pound: 141.101.96.94 POST /xmlrpc.php HTTP/1.1 - HTTP/1.1 200 OK' 'ns111111 pound: <HOST> .*POST .*xmlrpc\.php.*'