1

我正在尝试创建一个自定义规则来禁止用户尝试登录太多次。触发器是apache日志文件中的单词“ CheckLogin”。

日志提取:

[03/Mar/2016:19:38:24 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /CheckLogin HTTP/1.1" -
[03/Mar/2016:19:38:24 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /Login?nok=badpassword HTTP/1.1" 10570
[03/Mar/2016:19:38:27 -0600] 186.77.136.133 TLSv1.2 ECDHE-RSA-AES128-

当前过滤器: /etc/fail2ban/filter.d/test.conf:

[INCLUDES]
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*CheckLogin".*$
ignoreregex =

当前jail.local

# detect password authentication failures
[test-auth-ssl]
enabled  = true
port     = https
filter   = test
logpath  = /var/log/apache2/ssl_request_log
maxretry = 3
bantime  = 36000  ; 10 hrs
findtime = 360   ; 


[test-auth]
enabled  = true
port     = http
filter   = test
logpath  = /var/log/apache2/access_log
maxretry = 3
bantime  = 36000  ; 10 hrs
findtime = 360   ;

必须是过滤器失败正则表达式中的一个棘手细节,但我尝试了各种选项,但都没有奏效。我可以重启fail2ban而不会出错,但用于测试的外部IP永远不会被禁止(触发器deos不起作用)。

Status for the jail: test-auth-ssl
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
4

1 回答 1

2

知道了 !

玩弄fail2ban-regex,我终于找到了解决方案。

/etc/fail2ban/filter.d/test.conf 
[INCLUDES]
[Definition]
failregex =  <HOST> .*CheckLogin.*$
ignoreregex =

同样在jail.local我不得不添加backend=auto,因为它systemd默认使用

于 2016-03-04T03:54:31.893 回答