如何使 fail2ban failregex 工作(“.*”有问题?)?
How to make fail2ban failregex work (problem with ".*" ?)?
我想通过 fail2ban 禁止任何人在我的 nginx error.log 文件中生成这两种类型的行:
2019/12/15 20:12:12 [error] 640#640: *6 open() "/data/xxxxxx.com/www/50x.html" failed (2: No such file or directory), client: 35.187.45.148, server: xxxxxx.com, request: "GET /external.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock", host: x.x.x.x
2019/12/16 13:42:59 [crit] 647#647: *41 connect() to unix:/var/run/php5-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 35.233.78.55, server: xxxxxx.com, request: "GET /external.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "x.x.x.x"
我认为这些行行得通:
open() .* 客户端:<主机>
connect() 到 .* 客户端:< HOST >
但他们显然没有(使用 fail2ban-regex 测试)。这是我的完整过滤器:
[Definition]
failregex = open() .* client: < HOST >
connect() to .* client: < HOST >
FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: < HOST >
datepattern = {^LN-BEG}
注意:最后一个 (FastCGI...) 确实有效。 ".*" 会有问题吗?
括号()都是正则表达式元字符,这意味着它们在正则表达式中具有特殊含义。例如,这是您的第一个正则表达式实际匹配的内容:
open .* client:
也就是说,()实际上是一个零宽度的capture组,等同于什么都不匹配。由于您尝试匹配 open 后跟 space,因此您无法获得匹配。这是更正后的版本:
[Definition]
failregex = open\(\) .* client: < HOST >
connect\(\) to .* client: < HOST >
FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: < HOST >
datepattern = {^LN-BEG}
请注意,如果我们要匹配文字括号,我们应该用反斜杠将它们转义。
我想通过 fail2ban 禁止任何人在我的 nginx error.log 文件中生成这两种类型的行:
2019/12/15 20:12:12 [error] 640#640: *6 open() "/data/xxxxxx.com/www/50x.html" failed (2: No such file or directory), client: 35.187.45.148, server: xxxxxx.com, request: "GET /external.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock", host: x.x.x.x
2019/12/16 13:42:59 [crit] 647#647: *41 connect() to unix:/var/run/php5-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 35.233.78.55, server: xxxxxx.com, request: "GET /external.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "x.x.x.x"
我认为这些行行得通:
open() .* 客户端:<主机>
connect() 到 .* 客户端:< HOST >
但他们显然没有(使用 fail2ban-regex 测试)。这是我的完整过滤器:
[Definition]
failregex = open() .* client: < HOST >
connect() to .* client: < HOST >
FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: < HOST >
datepattern = {^LN-BEG}
注意:最后一个 (FastCGI...) 确实有效。 ".*" 会有问题吗?
括号()都是正则表达式元字符,这意味着它们在正则表达式中具有特殊含义。例如,这是您的第一个正则表达式实际匹配的内容:
open .* client:
也就是说,()实际上是一个零宽度的capture组,等同于什么都不匹配。由于您尝试匹配 open 后跟 space,因此您无法获得匹配。这是更正后的版本:
[Definition]
failregex = open\(\) .* client: < HOST >
connect\(\) to .* client: < HOST >
FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: < HOST >
datepattern = {^LN-BEG}
请注意,如果我们要匹配文字括号,我们应该用反斜杠将它们转义。