0

I try to protect my serveur from xmlrpc.php ddos.

I use fail2ban, but the regex I found dont seems to be ok. Can you have a look:

This is the log:

Aug 2 17:33:11 myserver pound: my.web.site 188.209.49.38 - - [02/Aug/2015:17:33:11 +0200] "POST /xmlrpc.php HTTP/1.0" 404 410 "" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

Aug 2 16:27:49 myserver pound: (7fec610c5700) e503 no back-end "POST /xmlrpc.php HTTP/1.0" from 185.62.188.25

filter.d/xmlrpc.conf

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

jail.local

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/pound.log
bantime = 43600
maxretry = 2

And the test

fail2ban-regex /var/log/pound.log /etc/fail2ban/filter.d/xmlrpc.conf 
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/xmlrpc.conf
Use log file   : /var/log/pound.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^<HOST> .*POST .*xmlrpc\.php.*
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
root@myserver:/etc/fail2ban#

Any idea?

Thks

4

1 回答 1

0

我编辑了类型格式,所以我现在有了这种日志

Aug  3 06:25:51 ns111111 pound: 141.101.96.94 POST /xmlrpc.php HTTP/1.1 - HTTP/1.1 200 OK

所以我尝试了这个,没关系:

fail2ban-regex 'Aug  3 06:25:51 ns111111 pound: 141.101.96.94 POST /xmlrpc.php HTTP/1.1 - HTTP/1.1 200 OK'     'ns111111 pound: <HOST> .*POST .*xmlrpc\.php.*'
于 2015-08-03T07:13:54.317 回答