我有一个脚本,每2秒生成一行。 线是
172.16.1.1 - - [08/Nov/2018:03:23:19 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:21 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:23 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:25 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:27 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:29 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:31 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:33 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:35 +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:37 +0700] "POST /wp-login.php HTTP/1.1" 200
将输出写入/opt/wpabuse/172.16.1.1.log
我的服务器所在的时区是亚洲/雅加达
我的监狱是:
[apache-wp-login]
enabled=true
filter = apache-wp-login
action = remote-pfsense
logpath = /opt/wpabuse/*.log
我的动作是:
[Definition]
actionstart = touch /var/run/fail2ban/pfsense.dummy
printf %%b "<init>\n" >> /var/run/fail2ban/pfsense.dummy
actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/pfsense.dummy
actionunban = printf %%b "-<ip>\n" >> /var/run/fail2ban/pfsense.dummy
[Init]
我的过滤器是:
[Definition]
failregex = <HOST> - - .* "POST /wp-login.php HTTP/.*" 200
ignoreregex =
首先,我停止禁止。 运行虚拟日志生成器... 当它生成行时...我开始fail2ban
fail2ban.log看起来像
2018-11-08 10:23:33,265 fail2ban.datedetector [13048]: DEBUG Got time 1541622213.000000 for "u'08/Nov/2018:03:23:33'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:33,266 fail2ban.datedetector [13048]: DEBUG Sorting the template list
2018-11-08 10:23:33,266 fail2ban.datedetector [13048]: DEBUG Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 170 hits
2018-11-08 10:23:35,268 fail2ban.filterpoll [13048]: DEBUG /opt/wpabuse/172.16.1.1.log has been modified
2018-11-08 10:23:35,269 fail2ban.datedetector [13048]: DEBUG Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:35,269 fail2ban.datedetector [13048]: DEBUG Got time 1541622215.000000 for "u'08/Nov/2018:03:23:35'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:35,270 fail2ban.datedetector [13048]: DEBUG Sorting the template list
2018-11-08 10:23:35,270 fail2ban.datedetector [13048]: DEBUG Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 171 hits
2018-11-08 10:23:37,272 fail2ban.filterpoll [13048]: DEBUG /opt/wpabuse/172.16.1.1.log has been modified
2018-11-08 10:23:37,273 fail2ban.datedetector [13048]: DEBUG Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:37,273 fail2ban.datedetector [13048]: DEBUG Got time 1541622217.000000 for "u'08/Nov/2018:03:23:37'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:37,274 fail2ban.datedetector [13048]: DEBUG Sorting the template list
2018-11-08 10:23:37,274 fail2ban.datedetector [13048]: DEBUG Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 172 hits
但是为什么“行动”没有触发?
真诚的 -bino-