regex - Fail2Ban 未能禁止星号错误

Question

我在 Fedora 21 上使用 IPTables 有 fail2ban 0.9.1 和 Asterisk 11。

攻击我的服务器的 IP 地址不会自动写入 IP 表（请参阅下文，了解它们在手动运行 banip 时的工作情况）。您是否看到任何会导致此问题的错误？

我在 /var/log/asterisk/messages 日志中收到有关不法分子尝试错误扩展的消息。

我的正则表达式有效，因为当我运行时

 fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf

我明白了

 Lines: 2985 lines, 0 ignored, 597 matched, 2388 missed [processed in 0.66 sec]

这意味着 597 行匹配正则表达式。正确的？有没有办法显示匹配的行？变量是什么？

我也可以这样做：

 fail2ban-client set asterisk banip 107.150.44.222

并且 IPTables 已正确更新并且 IP 被禁止。（是的，我知道我使用了一个真实的 IP 地址——就我而言，欢迎大家禁止 ba$%*$#rd）

 jail.local 

 [asterisk]
 enabled=yes
 filter=asterisk
 protocol=all
 logpath = /var/log/asterisk/messages
 banaction=iptables-multiport
 port     = 5060,5061
 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
       %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
       %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
 maxretry = 3
 bantime=432000
 findtime =86400

我删除了 jail.conf 中对 Asterisk 的引用以避免冲突

 filter.d/asterisk.conf 

 [INCLUDES]

 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf

 [Definition]

 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile.
 # Values:  TEXT
 #
 log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*

 failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
        ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
        ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
        ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
        ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
        ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
        ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
        ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
        ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
        ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
        ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
        ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
        ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
        ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/(<HOST>)/[0-9]{4}"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =

Answer 1

您的 asterisk.conf 和 jail.local 条目看起来不错，尽管我通常在禁令之后添加监狱名称。例如：banaction=iptables-multiport[name=asterisk]

重新启动 fail2ban 服务并检查您的 fail2ban 日志是否有任何错误。一个直到 v0.9.2 才得到修复的常见问题是：

Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'

要修复它，请将 fail2ban 更新到 v0.9.2 或编辑文件：/usr/share/fail2ban/common/__init__.py

并将以下文本添加到文件末尾：

from time import strptime
# strptime thread safety hack-around - http://bugs.python.org/issue7980
strptime("2012", "%Y")

有没有办法显示匹配的行？变量是什么？

您需要将-v选项与 fail2ban-regex 一起使用。它不会为您提供匹配的变量，但会列出与匹配行关联的每个 IP 地址。然后，您可以在星号日志中检查该 IP 的详细信息。

fail2ban-regex -v /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf