1

我正在使用fail2ban 尝试阻止任何获得多次失败登录的IP,失败的登录在我们的应用程序日志中记录为“/login.html?success=no”。

所以我创建了一个fail2ban .conf,但我无法让它找到任何匹配项,但是当我使用这个站点时,它会突出显示该行。我的 .conf 看起来像这样:

[Definition]

failregex = .*<HOST>.*login\.html\?success=no

ignoreregex =

但是当我运行“fail2ban-regex”来测试它时,它没有找到任何匹配项:

fail2ban-regex test.log /etc/fail2ban/filter.d/nginx-test.conf

Results

=======

Failregex: 0 total

Ignoreregex: 0 total

我正在使用的日志文件如下所示:

|  2017/10/03 10:11:53 [error] 14870#14870: *51 access forbidden by rule, client: 1.2.3.4, server: example.com, request: "GET /robots.txt HTTP/1.1", host: "example.com"
|  2017/10/03 10:11:53 [warn] 14870#14870: *50 delaying request, excess: 0.545, by zone "base", client: 1.2.3.4, server: example.com, request: "GET /login.html?success=no HTTP/1.1", host: "example.com", referrer: "https://example.com/"
4

1 回答 1

1

我的正则表达式需要是:

.*client: <HOST>.*request: "GET \/login\.html\?success=no HTTP/1.1"

感谢@melpomene 为我指明了正确的方向,我<HOST>什至没有指向 IP。

于 2017-10-03T15:42:43.247 回答