我在 docker 容器中使用 nginx,我可以轻松地与主机共享我的 nginx docker 容器上的日志文件。日志在上面并在/var/log/nginx文件夹上工作。
我已经在主机上安装了 fail2ban 来检查日志文件,特别是access.log.
我测试一个简单的过滤器
# Fail2Ban configuration file
# Author: Miniwark
[Definition]
failregex = ^<HOST> .*"GET .*w00tw00t
# try to access to admin directory
^<HOST> .*"GET .*admin.* 403
^<HOST> .*"GET .*admin.* 404
# try to access to install directory
^<HOST> .*"GET .*install.* 404
# try to access to phpmyadmin
^<HOST> .*"GET .*dbadmin.* 404
^<HOST> .*"GET .*myadmin.* 404
^<HOST> .*"GET .*MyAdmin.* 404
^<HOST> .*"GET .*mysql.* 404
^<HOST> .*"GET .*websql.* 404
^<HOST> .*"GET \/pma\/.* 404
# try to access to wordpress (we use another CMS)
^<HOST> .*"GET .*wp-content.* 404
^<HOST> .*"GET .*wp-login.* 404
# try to access to typo3 (we use another CMS)
^<HOST> .*"GET .*typo3.* 404
# try to access to tomcat (we do not use it)
^<HOST> .*"HEAD .*manager.* 404
# try to access various strange scripts and malwares
^<HOST> .*"HEAD .*blackcat.* 404
^<HOST> .*"HEAD .*sprawdza.php.* 404
ignoreregex =
我很容易激活它/etc/fail2ban/jail.local
[nginx-nokiddies]
# ban script kiddies
enabled = true
port = http,https
filter = nginx-nokiddies
logpath = /var/log/nginx*/*access.log
maxretry = 1
我重新启动/停止/启动/重新加载 fail2ban 服务。然后我测试这个正则表达式
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-nokiddies.conf
它匹配数千行,尤其是任何管理员请求。
主要问题是fail2ban 不能自动工作,所以不像以前那样发送邮件。事实上,当我直接在主机上使用 nginx 安装时,它可以完美运行。
日志采用基本格式,称为“组合”格式,如下所示:
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
没有权限问题,因为我的 nginx 容器及其子容器是完全权限(777),当然,我当然会更改它!
为什么 fail2ban 进程不禁止 ip 并且与 docker 不匹配?