简短摘要:
我正在尝试在监视Docker容器中流量的主机上配置fail2ban。我的fail2ban匹配,并且fail2ban确实禁止了IP地址。但是它禁止的IP地址是错误的吗?
设置和诊断
jail.local中的示例代码段
[php-custom]
enabled = true
port = http,https
filter = php-custom
logpath = /var/lib/docker/containers/*/*-json.log
maxrety = 0
bantime = 8640000
我的自定义php-custom.conf过滤器规则:(我在运行.net应用时尝试禁止任何php):
[Definition]
failregex = ^{"log":".*<HOST>.*(GET|POST).*(.php).*$
ignoreregex =
我正试图阻止/禁止的垃圾邮件流量惊人:
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:40 +0000] \"GET /phpMyadmin_bak/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:40.24318153Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:40 +0000] \"GET /www/phpMyAdmin/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:40.823999106Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:42 +0000] \"GET /tools/phpMyAdmin/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:42.495745595Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:42 +0000] \"GET /phpmyadmin-old/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:42.686355079Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:42 +0000] \"GET /phpMyAdminold/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:42.876219111Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:43 +0000] \"GET /phpMyAdmin.old/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:43.0685648Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:43 +0000] \"GET /pma-old/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:43.258384519Z"}
当我使用fail2ban-regex测试它时,请参见下文,编号127.0.0.1不是我的真实IP地址。
fail2ban-regex '{"log":"127.0.0.1 118.24.11.172 - - [07/Jul/2018:06:15:10 +0000] \"GET /mysql-admin/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-07T06:15:10.68 3403757Z"}' '^{"log":".*<HOST>.*(GET|POST).*(.php).*$'
我得到的输出:
Running tests
=============
Use failregex line : ^{"log":".*<HOST>.*(GET|POST).*(.php).*$
Use single line : {"log":"127.0.0.1 118.24.11.172 - - [07/Jul/2...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^{"log":".*<HOST>.*(GET|POST).*(.php).*$
| 0.0.0.2 Sat Jul 07 06:15:10 2018
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]
似乎匹配,但似乎匹配的IP地址是0.0.0.2 Sat Jul 07 06:15:10 2018 ??
我假设此设置可以正常运行了一段时间,并且通过运行fail2ban-client status php-custom检查状态时得到以下信息:
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/lib/docker/containers/016ef4731565527d407a552af9bfe5cf3ec3623117b40a34ed09e9fb5b2ffb00/ 016ef4731565527d407a552af9bfe5cf3ec3623117b40a34ed09e9fb5b2ffb00-json.log
`- Actions
|- Currently banned: 5
|- Total banned: 5
`- Banned IP list: 0.0.0.1 0.0.0.2 0.0.0.4 0.0.0.8 0.0.0.9
所有IP地址似乎都是0.0.0.1和0.0.0.2等?
我希望它应该是实际的IP地址,因为我仍在收到垃圾邮件流量。
对于我对于fail2ban以及Docker来说都是新手,我将不胜感激。
答案 0 :(得分:0)
我建议将nginx配置为不在这些经常收到404消息的位置附近记录任何内容。这样,保存日志的CPU和磁盘IO可以用于您的实际访问者。
当您不需要fail2ban扫描日志时,也会节省CPU / IO时间。
每个真正的访问者都免于受到IP / nftables规则的限制,从而减慢了他们的访问速度。
您还将省去查看日志并专注于互联网的背景噪音而不是真正关心的实际访问者的痛苦。
您的正则表达式也太宽泛了probably susceptible to DoS attacks。
答案 1 :(得分:0)
我也经历了同样的事情。该问题以及如何解决,这是一个不正确的过滤器正则表达式。很难发现,但是HOST只是解析为IP地址的最后一位(因此,您随机选择0.0.0.X)。 Fail2ban以某种方式将数字取为0.0.0.X IP地址。修复正则表达式后,正确的IP开始流动。
作为旁注-解决这对我来说不是路的尽头。下一个障碍是,fail2ban似乎可以正常工作,并且禁止正确的IP地址,但是背后的服务(在您的情况下为php,在我的mysql中)仍在接收恶意流量。为此,您需要考虑这个人写了什么(对我有很大帮助):LINK
希望这会有所帮助!