Fail2ban 没有匹配 nginx-botsearch
Fail2ban no matches for nginx-botsearch
我尝试在 fail2ban 中使用过滤器 nginx-botsearch.conf。
这是要检查的条目:
[error] 4904#4904: *2057 "/var/www/html/XXXX" is not found (2: No
such file or directory), client: XX.XXX.XXX.XX, server: XXXXX.XX,
request: "GET /_asterisk/ HTTP/1.1", host: "XX.XX.XXX.XX"
使用这个 failregex:
[INCLUDES]
# Load regexes for filtering
before = botsearch-common.conf
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
ignoreregex =
但是如果我测试它,它找不到任何匹配项。我在这里找不到问题。
运行 测试
sudo fail2ban-regex --print-all-missed /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-botsearch.conf
结果
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-
Lines: 2 lines, 0 ignored, 0 matched, 2 missed
[processed in 0.00 sec]
|- Missed line(s):
| 2018/04/06 10:37:18 [error] 1193#1193: *2045 open() "/var/www/html/favicon.ico" failed (2: No such file or directory), client: XXXX, server: XXXX, request: "GET /favicon.ico HTTP/2.0", host: "XXXX"
| 2018/04/06 10:37:18 [error] 1193#1193: *2045 open() "/var/www/html/favicon.ico" failed (2: No such file or directory), client: XXXX, server: XXXX, request: "GET /favicon.ico HTTP/2.0", host: "XXXX"
好的,所以标准正则表达式不会在您的日志中捕获所需的行。
复制ngnix-botsearch.conf到ngnix-botsearch.local:
sudo cp /etc/fail2ban/filter.d/ngnix-botsearch.conf /etc/fail2ban/filter.d/ngnix-botsearch.local
用您最喜欢的编辑器打开 ngnix-botsearch.local,然后在 [Definition] 部分将 failregex = 部分替换为:
failregex = ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>, server\: \S*\, request: \"(GET|POST|HEAD) \/favicon\.ico \S+\"\, host: \"\S*\".*?
这将添加带有自定义正则表达式的文件,它将捕获您遗漏的行。保存文件然后执行:
sudo fail2ban-client reload
现在再次检查过滤器:
sudo fail2ban-regex --print-all-missed /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-botsearch.conf
您可以 check/create 正则表达式在此处捕获日志中丢失的行:https://regex101.com For instance, here is the regex for your missing lines: https://regex101.com/r/QGxC0k/1,但请注意 Regex101 不 理解 <HOST> 和 fail2ban 的其他别名!您需要用适当的正则表达式替换它们。
并定期检查您的设置,了解 fail2ban 在您的日志中遗漏的行。
希望这会有所帮助。
我尝试在 fail2ban 中使用过滤器 nginx-botsearch.conf。
这是要检查的条目:
[error] 4904#4904: *2057 "/var/www/html/XXXX" is not found (2: No such file or directory), client: XX.XXX.XXX.XX, server: XXXXX.XX, request: "GET /_asterisk/ HTTP/1.1", host: "XX.XX.XXX.XX"
使用这个 failregex:
[INCLUDES]
# Load regexes for filtering
before = botsearch-common.conf
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
ignoreregex =
但是如果我测试它,它找不到任何匹配项。我在这里找不到问题。
运行 测试
sudo fail2ban-regex --print-all-missed /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-botsearch.conf
结果
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-
Lines: 2 lines, 0 ignored, 0 matched, 2 missed
[processed in 0.00 sec]
|- Missed line(s):
| 2018/04/06 10:37:18 [error] 1193#1193: *2045 open() "/var/www/html/favicon.ico" failed (2: No such file or directory), client: XXXX, server: XXXX, request: "GET /favicon.ico HTTP/2.0", host: "XXXX"
| 2018/04/06 10:37:18 [error] 1193#1193: *2045 open() "/var/www/html/favicon.ico" failed (2: No such file or directory), client: XXXX, server: XXXX, request: "GET /favicon.ico HTTP/2.0", host: "XXXX"
好的,所以标准正则表达式不会在您的日志中捕获所需的行。
复制ngnix-botsearch.conf到ngnix-botsearch.local:
sudo cp /etc/fail2ban/filter.d/ngnix-botsearch.conf /etc/fail2ban/filter.d/ngnix-botsearch.local
用您最喜欢的编辑器打开 ngnix-botsearch.local,然后在 [Definition] 部分将 failregex = 部分替换为:
failregex = ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>, server\: \S*\, request: \"(GET|POST|HEAD) \/favicon\.ico \S+\"\, host: \"\S*\".*?
这将添加带有自定义正则表达式的文件,它将捕获您遗漏的行。保存文件然后执行:
sudo fail2ban-client reload
现在再次检查过滤器:
sudo fail2ban-regex --print-all-missed /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-botsearch.conf
您可以 check/create 正则表达式在此处捕获日志中丢失的行:https://regex101.com For instance, here is the regex for your missing lines: https://regex101.com/r/QGxC0k/1,但请注意 Regex101 不 理解 <HOST> 和 fail2ban 的其他别名!您需要用适当的正则表达式替换它们。
并定期检查您的设置,了解 fail2ban 在您的日志中遗漏的行。
希望这会有所帮助。