Fail2ban命名拒绝failregex语法

时间:2016-02-08 13:05:25

标签: linux iptables named fail2ban

运行fail2ban-regex

fail2ban-regex /var/log/named/security1.log /etc/fail2ban/filter.d/named-refused.conf

我得到以下输出

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/named-refused.conf
Use log file   : /var/log/named/security1.log

Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

以下是security1.log文件的一些输出

08-Feb-2016 11:38:15.324 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied

failregex是以下

failregex = %(__line_prefix)sclient <HOST>#\S+: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$

我认为我的security1.log的输出与named-rejected.conf文件的failregex语法之间存在差异,这使得它找不到任何内容。

提前致谢,

1 个答案:

答案 0 :(得分:1)

我按照你描述的方式运行我的Debian 8.2 fail2ban日志。

Results
=======

Failregex: 14 total
|-  #) [# of hits] regular expression
|   1) [14] ^(?:\s\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [14] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
`-

Lines: 14 lines, 0 ignored, 14 matched, 0 missed

因此,如果您感兴趣,我的发行版中的/etc/fail2ban/filter.d/named-refused.conf文件是:

[Definition]                                                                                                                                                                    

# Daemon name                                                                                                                                                                   
_daemon=named                                                                                                                                                                   

# Shortcuts for easier comprehension of the failregex                                                                                                                           

__pid_re=(?:\[\d+\])                                                                                                                                                            
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?                                                                                                                                     
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)                                                                                            

#       hostname       daemon_id         spaces                                                                                                                                 
# this can be optional (for instance if we match named native log files)                                                                                                        
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?                                                                                                                               

failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$                           
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$                                                     
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$                 

# DEV Notes:                                                                                                                                                                    
# Trying to generalize the                                                                                                                                                      
#          structure which is general to capture general patterns in log                                                                                                        
#          lines to cover different configurations/distributions                                                                                                                
#..........                                                                                                                                                                     
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector                                                                                         
  #                                                                                                                                                                               
# Author: Yaroslav Halchenko 

请注意,作者评论了在日期检测器中没有捕获到的微秒的非常难看的捕捉&#34; 您可以尝试一下(在对您自己的课程版本进行完整性检查之后)并查看它是否有效。顺便问一下,你的发行版是什么?