我正在尝试在fail2ban中匹配此日期模式:
test.example.org 12.100.3.45 - - [14/Jun/2019:13:54:50 +0000] "GET
可以使用正则表达式测试器:
fail2ban-regex -d ^%%d/%%M/%%Y:%%H:%%M:%%S "test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4" "<HOST>"
我希望可以找到ip adres,但是找不到日期模式。
Running tests
=============
Use datepattern : {^%d/%M/%Y:%H:%M:%S}
Use failregex line : <HOST>
Use single line : test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]
|- Missed line(s):
| test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4
更新:
我使用了my.conf文件:
# fail2ban filter configuration for nginx proxy
# hk
[Definition]
failregex = ^<HOST> - [^-[ ]+.+HTTP/1.[0-9]" 401
ignoreregex =
datepattern = ^%%d/%%M/%%Y:%%H:%%M:%%S
当使用这种日期模式时,我在正则表达式解析器中遇到错误。
我理解fail2ban的工作方式是采用datepattern并将其转换为查找日期的正则表达式。那么datepattern是无效的吗?我相信正则表达式(正如肖恩在评论中指出的那样)。
Running tests
=============
Use failregex filter file : nginx-proxy-auth, basedir: /etc/fail2ban
Use datepattern : ^Day/Minute/Year:24hour:Minute:Second
Use log file : /data/docker/nginx-proxy/logs/access.log
Use encoding : UTF-8
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 34, in <module>
exec_command_line()
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 685, in exec_command_line
if not fail2banRegex.start(args):
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 635, in start
self.process(test_lines)
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 458, in process
line_datetimestripped, ret = self.testRegex(line)
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 409, in testRegex
ret = self._filter.processLine(line, date)
File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 526, in processLine
(timeMatch, template) = self.dateDetector.matchTime(l)
File "/usr/lib/python3/dist-packages/fail2ban/server/datedetector.py", line 373, in matchTime
match = template.matchDate(line)
File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 153, in matchDate
self._compileRegex()
File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 147, in _compileRegex
raise e
File "/usr/lib/python3/dist-packages/fail2ban/server/datetemplate.py", line 144, in _compileRegex
self._cRegex = re.compile(self.regex)
File "/usr/lib/python3.6/re.py", line 233, in compile
return _compile(pattern, flags)
File "/usr/lib/python3.6/re.py", line 301, in _compile
p = sre_compile.compile(pattern, flags)
File "/usr/lib/python3.6/sre_compile.py", line 562, in compile
p = sre_parse.parse(p, flags)
File "/usr/lib/python3.6/sre_parse.py", line 855, in parse
p = _parse_sub(source, pattern, flags & SRE_FLAG_VERBOSE, 0)
File "/usr/lib/python3.6/sre_parse.py", line 416, in _parse_sub
not nested and not items))
File "/usr/lib/python3.6/sre_parse.py", line 765, in _parse
p = _parse_sub(source, state, sub_verbose, nested + 1)
File "/usr/lib/python3.6/sre_parse.py", line 416, in _parse_sub
not nested and not items))
File "/usr/lib/python3.6/sre_parse.py", line 759, in _parse
raise source.error(err.msg, len(name) + 1) from None
sre_constants.error: redefinition of group name 'M' as group 6; was group 3 at position 107
因此,此模式尝试查找minutes而不是Months
答案 0 :(得分:0)
在fail2ban日期模式中,M匹配分钟,如所示。如果要匹配数字月份,请使用m;如果要匹配三个字母的缩写,请使用b。
您还可以将nanos与%f进行匹配,但是+需要转义。
因此datepattern无效吗?正则表达式
datepattern是有效的正则表达式,只是匹配了错误的内容。但是,我认为您的failregex也太含糊("<HOST>"仅与文字"1.2.3.4"匹配)。您必须像".*<HOST>"或"<HOST>$"这样的东西,才能知道在哪里寻找IP。
因此将所有内容组合在一起以匹配您想要的模式,您可以使用:
fail2ban-regex -d "%d/%b/%Y:%H:%M:%S \+%f" "test.example.org [14/Jun/2019:13:22:57 +0000] 1.2.3.4" "^.*<HOST>"