为Apache2创建fail2ban自定义规则

时间:2016-03-04 01:47:48

标签: regex apache fail2ban

我正在尝试创建一个自定义规则来禁止用户尝试登录太多次。触发器是" CheckLogin"在apache日志文件中。

日志提取:

[03/Mar/2016:19:38:24 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /CheckLogin HTTP/1.1" -
[03/Mar/2016:19:38:24 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /Login?nok=badpassword HTTP/1.1" 10570
[03/Mar/2016:19:38:27 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-

当前过滤器:/etc/fail2ban/filter.d/test.conf

[INCLUDES]
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*CheckLogin".*$
ignoreregex =

当前jail.local

# detect password authentication failures
[test-auth-ssl]
enabled  = true
port     = https
filter   = test
logpath  = /var/log/apache2/ssl_request_log
maxretry = 3
bantime  = 36000  ; 10 hrs
findtime = 360   ; 


[test-auth]
enabled  = true
port     = http
filter   = test
logpath  = /var/log/apache2/access_log
maxretry = 3
bantime  = 36000  ; 10 hrs
findtime = 360   ; 

过滤器failregex中必须是一个棘手的细节,但我尝试了各种选项,但都没有。我可以毫无错误地重启fail2ban,但是用于测试的外部IP永远不会被禁止(触发器无效)。

Status for the jail: test-auth-ssl
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

1 个答案:

答案 0 :(得分:2)

知道了!

fail2ban-regex我终于找到了解决方案。

/etc/fail2ban/filter.d/test.conf 
[INCLUDES]
[Definition]
failregex =  <HOST> .*CheckLogin.*$
ignoreregex = 

同样在jail.local我必须添加backend=auto,因为它默认使用systemd