Fail2ban与nginx-botsearch没有匹配

时间:2018-04-05 09:36:23

标签: regex nginx fail2ban

我尝试在fail2ban中使用过滤器nginx-botsearch.conf。

这是要检查的条目:

  

[错误] 4904#4904:* 2057“/ var / www / html / XXXX”未找到(2:否)   这样的文件或目录),客户端:XX.XXX.XXX.XX,服务器:XXXXX.XX,   请求:“GET / _asterisk / HTTP / 1.1”,主持人:“XX.XX.XXX.XX”

使用此failregex:

[INCLUDES]

# Load regexes for filtering
before = botsearch-common.conf

[Definition]

failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
            ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$

ignoreregex =

但如果我测试它,它找不到任何匹配。我在这里找不到问题。

正在运行测试

sudo fail2ban-regex --print-all-missed /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-botsearch.conf

结果

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 2 lines, 0 ignored, 0 matched, 2 missed
[processed in 0.00 sec]

|- Missed line(s):
|  2018/04/06 10:37:18 [error] 1193#1193: *2045 open() "/var/www/html/favicon.ico" failed (2: No such file or directory), client: XXXX, server: XXXX, request: "GET /favicon.ico HTTP/2.0", host: "XXXX"
|  2018/04/06 10:37:18 [error] 1193#1193: *2045 open() "/var/www/html/favicon.ico" failed (2: No such file or directory), client: XXXX, server: XXXX, request: "GET /favicon.ico HTTP/2.0", host: "XXXX"

1 个答案:

答案 0 :(得分:0)

好的,所以标准正则表达式不能捕获日志中的必需行。

ngnix-botsearch.conf复制到ngnix-botsearch.local

sudo cp /etc/fail2ban/filter.d/ngnix-botsearch.conf /etc/fail2ban/filter.d/ngnix-botsearch.local

使用您喜欢的编辑器打开ngnix-botsearch.local并在[Definition]部分中将failregex =部分替换为:

failregex = ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>, server\: \S*\, request: \"(GET|POST|HEAD) \/favicon\.ico \S+\"\, host: \"\S*\".*?

这将添加带有自定义正则表达式的文件,它将捕获您错过的行。保存文件,然后执行:

sudo fail2ban-client reload

现在再次检查过滤器:

sudo fail2ban-regex --print-all-missed /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-botsearch.conf

您可以检查/创建正则表达式以捕获日志中缺少的行:https://regex101.com例如,以下是缺少行的正则表达式:https://regex101.com/r/QGxC0k/1,但请注意Regex101执行了解来自fail2ban的<HOST>和其他别名!您需要使用适当的正则表达式替换它们。

定期检查您的日志中fail2ban未命中行的设置。

希望这会有所帮助。

相关问题
最新问题