1

我正在尝试将 fail2ban 与 MYSQL 5.7.19 一起使用

error.log 显示如下条目:

2017-10-03T19:17:45.014850Z 127207 [Note] Access denied for user 'trafic'@'localhost' (using password: YES)
2017-10-03T19:17:46.222136Z 127209 [Note] Access denied for user 'user'@'localhost' (using password: YES)
2017-10-03T19:17:47.440388Z 127211 [Note] Access denied for user 'user'@'localhost' (using password: YES)
2017-10-03T19:17:48.625799Z 127213 [Note] Access denied for user 'wordpress'@'localhost' (using password: YES)
2017-10-03T19:17:49.849088Z 127219 [Note] Access denied for user 'root'@'localhost' (using password: YES)

error.log 中既没有捕获任何 IP,也没有显示为警告,而是记录为[note]

我已经设置log-warnings =2mysqld.cnf

谢谢。

更新:我从 mysql error.log 这些日志来自同一个 ip 超过 20 次。

2017-10-04T14:35:45.932144Z 218879 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)
2017-10-04T14:35:46.551180Z 218881 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)
2017-10-04T14:35:47.169756Z 218882 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)

我的fail2ban过滤器代码是这样的:

[Definition]

_daemon = mysqld

failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|N$

ignoreregex =

和 jail.conf 看起来像这样:

[mysql]
enabled = true
port = 3306
filter =  mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 3

但fail2ban 没有接受失败的尝试。

我还在浏览器中使用 PhpMyadmin 多次尝试错误的用户。所以它会自动添加localhost到用户,即使我正在远程尝试。

所以问题是我可以在 PhpMyadmin 中尝试无数次尝试失败而不会被禁止。

4

2 回答 2

5

如果 MySQL 不正常,您可以编辑您的 fail2ban 正则表达式 ( failregex) 以检测“注意”而不是“警告”

failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$

至:

failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$

您可以使用以下方法进行测试:

fail2ban-regex "2017-10-04T14:35:47.169756Z 218882 [Note] Access denied for user 'root'@'123.129.218.64' (using password: YES)" /etc/fail2ban/filter.d/mysqld-auth.conf

您将在输出中看到匹配项:

Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]
于 2017-10-03T21:06:31.503 回答
0

根据安装在 Ubuntu 20.04 上的 MySql 8.0.28,以下工作正常:

失败正则表达式

位于/etc/fail2ban/filter.d/mysqld-auth.conf

failregex = ^(?:(?:\d{6}|\d{4}-\d{2}-\d{2})T\s?\d{1,2}:\d{2}:\d{2}\.\d*Z)?(?:\d+ )?.*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$

MySQL 日志记录

请注意,MySql 日志记录有一点奇怪的行为 - 失败的尝试不会记录到log_error变量中定义的文件中,而只会记录到一般的日志文件中。

必须通过以下文件中的配置手动打开常规日志记录etc/mysql/mysql.conf.d/mysqld.cnf 

general_log_file        = /var/log/mysql/query.log
general_log             = 1

Fail2Ban 监狱

并完成监狱配置,位于/etc/fail2ban/jail.local

[mysqld-auth]
enabled  = true
port     = 3306
filter   = mysqld-auth
logpath  = /var/log/mysql/query.log
于 2022-01-25T16:43:25.537 回答