MYSQL error.log显示失败的登录尝试为[note]

时间:2017-10-03 19:38:46

标签: mysql fail2ban

我正在尝试将fail2ban与MYSQL 5.7.19一起使用

error.log显示如下条目:

2017-10-03T19:17:45.014850Z 127207 [Note] Access denied for user 'trafic'@'localhost' (using password: YES)
2017-10-03T19:17:46.222136Z 127209 [Note] Access denied for user 'user'@'localhost' (using password: YES)
2017-10-03T19:17:47.440388Z 127211 [Note] Access denied for user 'user'@'localhost' (using password: YES)
2017-10-03T19:17:48.625799Z 127213 [Note] Access denied for user 'wordpress'@'localhost' (using password: YES)
2017-10-03T19:17:49.849088Z 127219 [Note] Access denied for user 'root'@'localhost' (using password: YES)

在error.log中既没有捕获任何IP也没有显示为警告,但是记录为[note]

我在log-warnings =2

中设置了mysqld.cnf

感谢。

更新: 我从mysql error.log获取这些日志超过20次来自同一个ip。

2017-10-04T14:35:45.932144Z 218879 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)
2017-10-04T14:35:46.551180Z 218881 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)
2017-10-04T14:35:47.169756Z 218882 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)

我的fail2ban过滤器代码是这样的:

[Definition]

_daemon = mysqld

failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|N$

ignoreregex =

和jail.conf看起来像这样:

[mysql]
enabled = true
port = 3306
filter =  mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 3

但是fail2ban没有收到失败的尝试。

我还在浏览器中使用PhpMyadmin多次尝试错误的用户。因此它会自动向用户添加localhost,即使我正在远程尝试它。

所以问题是我可以在PhpMyadmin中尝试无数次尝试失败而不被禁止。

1 个答案:

答案 0 :(得分:2)

如果MySQL没有表现,您可以编辑fail2ban正则表达式(failregex)以检测“注意”而不是“警告”

failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$

为:

failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$

您可以使用以下方式对此进行测试:

fail2ban-regex "2017-10-04T14:35:47.169756Z 218882 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)" /etc/fail2ban/filter.d/mysqld-auth.conf

你会在输出中看到匹配:

Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]
相关问题
最新问题