Question

我有一个脚本，每2秒生成一行。线是

172.16.1.1 - - [08/Nov/2018:03:23:19  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:21  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:23  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:25  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:27  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:29  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:31  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:33  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:35  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:37  +0700] "POST /wp-login.php HTTP/1.1" 200

将输出写入/opt/wpabuse/172.16.1.1.log

我的服务器所在的时区是亚洲/雅加达

我的监狱是：

[apache-wp-login]
enabled=true
filter = apache-wp-login
action = remote-pfsense
logpath = /opt/wpabuse/*.log

我的动作是：

[Definition]

actionstart = touch /var/run/fail2ban/pfsense.dummy
              printf %%b "<init>\n" >> /var/run/fail2ban/pfsense.dummy

actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/pfsense.dummy
actionunban = printf %%b "-<ip>\n" >> /var/run/fail2ban/pfsense.dummy

[Init]

我的过滤器是：

[Definition]
failregex = <HOST> - - .* "POST /wp-login.php HTTP/.*" 200

ignoreregex =

首先，我停止禁止。运行虚拟日志生成器... 当它生成行时...我开始fail2ban

fail2ban.log看起来像

2018-11-08 10:23:33,265 fail2ban.datedetector   [13048]: DEBUG   Got time 1541622213.000000 for "u'08/Nov/2018:03:23:33'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:33,266 fail2ban.datedetector   [13048]: DEBUG   Sorting the template list
2018-11-08 10:23:33,266 fail2ban.datedetector   [13048]: DEBUG   Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 170 hits
2018-11-08 10:23:35,268 fail2ban.filterpoll     [13048]: DEBUG   /opt/wpabuse/172.16.1.1.log has been modified
2018-11-08 10:23:35,269 fail2ban.datedetector   [13048]: DEBUG   Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:35,269 fail2ban.datedetector   [13048]: DEBUG   Got time 1541622215.000000 for "u'08/Nov/2018:03:23:35'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:35,270 fail2ban.datedetector   [13048]: DEBUG   Sorting the template list
2018-11-08 10:23:35,270 fail2ban.datedetector   [13048]: DEBUG   Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 171 hits
2018-11-08 10:23:37,272 fail2ban.filterpoll     [13048]: DEBUG   /opt/wpabuse/172.16.1.1.log has been modified
2018-11-08 10:23:37,273 fail2ban.datedetector   [13048]: DEBUG   Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:37,273 fail2ban.datedetector   [13048]: DEBUG   Got time 1541622217.000000 for "u'08/Nov/2018:03:23:37'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:37,274 fail2ban.datedetector   [13048]: DEBUG   Sorting the template list
2018-11-08 10:23:37,274 fail2ban.datedetector   [13048]: DEBUG   Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 172 hits

但是为什么“行动”没有触发？

真诚的 -bino-

针对虚拟日志的fail2ban测试

0 个答案: