我有fail2ban和运行,但我的Failregex不匹配任何东西,有些事情是错误的。
要求禁止的请求如下所示:
186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10488 "coolsearch37845.com/b/eve/618aef08...... 186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10531 "liteapps.mcafee.com....... 186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10531 "jfueznxchgsef.pl...... 我到目前为止:
/etc/fail2ban/filter.d/apache-attackers.conf:
failregex = <HOST> - - [[^]]+] "GET / HTTP/1.1"
/etc/fail2ban/jail.local:
[apache-attackers] enabled = true port = http,https filter = apache-attackers bantime = 25920000 logpath = /var/www/mysite/log/access.log maxretry = 2 findtime = 1
当我做一个
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/apache-attackers.conf
我明白了
Failregex |- Regular expressions: | [1] <HOST> - - [[^]]+] "GET / HTTP/1.1" | `- Number of matches: [1] 0 match(es)
所以我的正则expression式失败,它不匹配任何东西。
我想在1秒内匹配任何请求“GET / HTTP / 1.1”两次或更多的IP。
我做错了什么?
由于[和]是正则expression式中的保留字符,因此您必须将其转义:
<HOST> - - [[^]]+] "GET / HTTP/1.1"
应该是这样的:
<HOST> - - \[[^]]+\] "GET / HTTP/1.1"
或这个:
<HOST> - - [[][^]]+[]] "GET / HTTP/1.1"