Fail2ban named-refused failregex 语法
Fail2ban named-refused failregex syntax
当运行 fail2ban-regex
fail2ban-regex /var/log/named/security1.log /etc/fail2ban/filter.d/named-refused.conf
我得到以下输出
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/named-refused.conf
Use log file : /var/log/named/security1.log
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Summary
=======
Sorry, no match
这是 security1.log 文件的一些输出
08-Feb-2016 11:38:15.324 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
failregex 如下
failregex = %(__line_prefix)sclient <HOST>#\S+: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
我认为我的 security1.log 的输出和 named-refused.conf 文件的 failregex 语法之间存在差异,这使得它找不到任何东西。
提前致谢,
男人
我 运行 你通过我的 Debian 8.2 fail2ban 以你描述和得到的相同方式登录。
Results
=======
Failregex: 14 total
|- #) [# of hits] regular expression
| 1) [14] ^(?:\s\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [14] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
`-
Lines: 14 lines, 0 ignored, 14 matched, 0 missed
因此,如果您有兴趣,我的发行版中的 /etc/fail2ban/filter.d/named-refused.conf 文件是:
[Definition]
# Daemon name
_daemon=named
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
# DEV Notes:
# Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#..........
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
#
# Author: Yaroslav Halchenko
请注意作者对 "really ugly catch of the microseconds not captured in the date detector" 的评论
您可以尝试一下(当然是在针对您自己的版本进行健全性检查之后),看看它是否有效。顺便问一下,你的发行版是什么?
当运行 fail2ban-regex
fail2ban-regex /var/log/named/security1.log /etc/fail2ban/filter.d/named-refused.conf
我得到以下输出
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/named-refused.conf
Use log file : /var/log/named/security1.log
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Summary
=======
Sorry, no match
这是 security1.log 文件的一些输出
08-Feb-2016 11:38:15.324 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.325 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
08-Feb-2016 11:38:15.326 client 192.168.0.1#4444 (cpsc.gov): query (cache) 'cpsc.gov/ANY/IN' denied
failregex 如下
failregex = %(__line_prefix)sclient <HOST>#\S+: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
我认为我的 security1.log 的输出和 named-refused.conf 文件的 failregex 语法之间存在差异,这使得它找不到任何东西。
提前致谢,
男人
我 运行 你通过我的 Debian 8.2 fail2ban 以你描述和得到的相同方式登录。
Results
=======
Failregex: 14 total
|- #) [# of hits] regular expression
| 1) [14] ^(?:\s\S+ (?:(?:\[\d+\])?:\s+\(?named(?:\(\S+\))?\)?:?|\(?named(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [14] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
`-
Lines: 14 lines, 0 ignored, 14 matched, 0 missed
因此,如果您有兴趣,我的发行版中的 /etc/fail2ban/filter.d/named-refused.conf 文件是:
[Definition]
# Daemon name
_daemon=named
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
# DEV Notes:
# Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#..........
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
#
# Author: Yaroslav Halchenko
请注意作者对 "really ugly catch of the microseconds not captured in the date detector" 的评论 您可以尝试一下(当然是在针对您自己的版本进行健全性检查之后),看看它是否有效。顺便问一下,你的发行版是什么?