fail2ban:apache-auth不禁止失败的登录尝试

时间:2018-08-03 06:09:04

标签: apache fail2ban

尝试在Linux Mint 17.1上实现fail2ban,并且在针对apache-auth多次登录尝试后,似乎无法阻止它。
我跟随this guide开始使用。
我认为这是apache-auth regex的问题,但无法正确解决。

jail.local

[apache] 
enabled = true 
port = 80,443
filter = apache-auth 
logpath = /var/log/apache2/*error.log 
maxretry = 3 
bantime = 600 
##ignoreip = 192.168.3.70

##To block the remote host that is trying to request suspicious URLs,     use the below jail. 
[apache-overflows] 
enabled = true 
port = http,https 
filter = apache-overflows 
logpath = /var/log/apache2/*error.log 
maxretry = 3 
bantime = 600 
ignoreip = 192.168.3.70

##To block the remote host that is trying to search for scripts on the     website to execute, use the below jail. 
[apache-noscript] 
enabled = true 
port = http,https 
filter = apache-noscript 
logpath = /var/log/apache2/*error.log 
maxretry = 3 
bantime = 600 
ignoreip = 192.168.3.70

##To block the remote host that is trying to request malicious bot,     use below jail. 
[apache-badbots] 
enabled = true 
port = http,https 
filter = apache-badbots 
logpath = /var/log/apache2/*error.log 
maxretry = 3 
bantime = 600 
ignoreip = 192.168.3.70

##To stop DOS attack from remote host. 
[http-get-dos] 
enabled = true 
port = http,https 
filter = http-get-dos 
logpath = /var/log/apache*/access.log 
maxretry = 400 
findtime = 400 
bantime = 200 
##ignoreip = 192.168.3.70 
action = iptables[name=HTTP, port=http, protocol=tcp]

apache-auth.conf

[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
        ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ 
        ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
        ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$

apache-common.conf

_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+\d+\])? \[client <HOST>(:\d{1,5})?\]

/var/log/apache2/error.log

[Thu Aug 02 23:03:42.143209 2018] [auth_basic:error] [pid 8025] [client 192.168.3.60:54788] AH01618: user aaa not found: /SEC/test.php
[Thu Aug 02 23:03:43.216097 2018] [auth_basic:error] [pid 8025] [client 192.168.3.60:54788] AH01618: user aaa not found: /SEC/test.php
[Thu Aug 02 23:03:44.124570 2018] [auth_basic:error] [pid 8025][client 192.168.3.60:54788] AH01618: user aaa not found: /SEC/test.php
[Thu Aug 02 23:03:45.104747 2018] [auth_basic:error] [pid 8025][client 192.168.3.60:54788] AH01618: user aaa not found: /SEC/test.php
[Thu Aug 02 23:03:46.001161 2018] [auth_basic:error] [pid 8025][client 192.168.3.60:54788] AH01618: user aaa not found: /SEC/test.php
[Thu Aug 02 23:03:46.871802 2018] [auth_basic:error] [pid 8025][client 192.168.3.60:54788] AH01618: user aaa not found: /SEC/test.php
[Thu Aug 02 23:03:47.843740 2018] [auth_basic:error] [pid 8025][client 192.168.3.60:54788] AH01618: user aaa not found: /SEC/test.php

正如我所说,我认为问题出在正则表达式上,因为http-get-dos监狱运作良好。 apache-common.conf的正则表达式看起来不正确,因为我的日志文件似乎遵循不同的标准,但是我不确定这是否正确或如何正确格式化正则表达式。

感谢您的帮助。

1 个答案:

答案 0 :(得分:0)

发现我的问题

我不得不将apache-common.conf中的行更改为以下内容;

_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+\])? \[client <HOST>(:\d{1,5})?\]

区别在于PID部分。我使用Regex101处理表达式,直到匹配为止。