服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 即使正则expression式匹配,fail2ban也不会处理jail
Intereting Posts
CNAME通配符Server 2003 “Hyper-V无法启动SCSI磁盘”如何影响我? (服务器中的所有硬盘都是SCSI) 我可以在systemd的EnvironmentFile中设置一个多行环境variables吗? 对于centos5 + apache使用mod_deflate或gzip 临时SSH隧道用于备份目的 关于PHP的一般问题./configure && make clean && make && make install SQL Server – 列出没有主键的所有表 RAID控制器 – 列出了SSD,但在Windows中不可用 无法configurationNAP DCOM安全性 文件损坏问题AIX jFS2 使用ARR将网站请求redirect到服务器场中的特定服务器 我的电子邮件服务器拒绝接收邮件 如何更改“___上的fetchmail身份validation失败”通知的设置? Server 2008 R2防火墙configuration Linux的Debian如何禁用TCP校验和validation?

即使正则expression式匹配,fail2ban也不会处理jail

我有麻烦设置fail2ban检查nginx错误日志中的失败httpvalidation条目。 即使提供的failregex工作,fail2ban似乎跳过了监狱configuration。

我已经尝试将loglevel设置为4,但没有关于nginx监狱的任何失败的信息。 此外,我想在日志文件中的时间戳必须匹配系统时间,这当然是事实。

奇怪的是我设置的其他监狱(ssh)完美。 我没有想法,也许你有一个。 这里是希望你所需要的所有信息。 谢谢。

fail2ban.conf 

[Definition] loglevel = 3 logtarget = /var/example/logs/fail2ban.log socket = /var/run/fail2ban/fail2ban.sock

jail.conf 

 [DEFAULT] ignoreip = 127.0.0.1 bantime = 60 findtime = 600 maxretry = 3 backend = auto [ssh-iptables] enabled = true filter = sshd action = iptables-allports[name=SSH, protocol=all] logpath = /var/log/auth.log [nginx] enabled = true filter = nginx-auth action = iptables-allports[name=nginx, protocol=all] logpath = /var/example/logs/nginx-error.log

filter.d / nginx的-auth.conf 

 [Definition] failregex = no user/password was provided for basic authentication.*client: <HOST> user .* was not found in.*client: <HOST> user .* password mismatch.*client: <HOST> ignoreregex =

fail2ban-regex /var/example/logs/nginx-error.log /var/example/config/fail2ban/filter.d/nginx-auth.conf 

 Running tests ============= Use regex file : /var/example/config/fail2ban/filter.d/nginx-auth.conf Use log file : /var/example/logs/nginx-error.log Results ======= Failregex |- Regular expressions: | [1] no user/password was provided for basic authentication.*client: <HOST> | [2] user .* was not found in.*client: <HOST> | [3] user .* password mismatch.*client: <HOST> | `- Number of matches: [1] 60 match(es) [2] 0 match(es) [3] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 192.168.153.1 (Fri Sep 02 14:07:54 2011) 192.168.153.1 (Fri Sep 02 14:07:54 2011) 192.168.153.1 (Fri Sep 02 14:07:55 2011) 192.168.153.1 (Fri Sep 02 14:07:55 2011) 192.168.153.1 (Fri Sep 02 14:07:55 2011) 192.168.153.1 (Fri Sep 02 14:07:55 2011) 192.168.153.1 (Fri Sep 02 14:07:56 2011) 192.168.153.1 (Fri Sep 02 14:07:56 2011) 192.168.153.1 (Fri Sep 02 14:07:56 2011) 192.168.153.1 (Fri Sep 02 14:07:56 2011) 192.168.153.1 (Fri Sep 02 14:07:56 2011) 192.168.153.1 (Fri Sep 02 14:07:57 2011) 192.168.153.1 (Fri Sep 02 14:07:57 2011) 192.168.153.1 (Fri Sep 02 14:07:57 2011) 192.168.153.1 (Fri Sep 02 14:07:57 2011) 192.168.153.1 (Fri Sep 02 14:07:57 2011) 192.168.153.1 (Fri Sep 02 14:07:58 2011) 192.168.153.1 (Fri Sep 02 14:07:58 2011) 192.168.153.1 (Fri Sep 02 14:07:58 2011) 192.168.153.1 (Fri Sep 02 14:07:59 2011) 192.168.153.1 (Fri Sep 02 14:07:59 2011) 192.168.153.1 (Fri Sep 02 14:07:59 2011) 192.168.153.1 (Fri Sep 02 14:07:59 2011) 192.168.153.1 (Fri Sep 02 14:08:00 2011) 192.168.153.1 (Fri Sep 02 14:08:00 2011) 192.168.153.1 (Fri Sep 02 14:08:00 2011) 192.168.153.1 (Fri Sep 02 14:08:01 2011) 192.168.153.1 (Fri Sep 02 14:08:01 2011) 192.168.153.1 (Fri Sep 02 14:08:01 2011) 192.168.153.1 (Fri Sep 02 14:08:01 2011) 192.168.153.1 (Fri Sep 02 14:08:01 2011) 192.168.153.1 (Fri Sep 02 14:08:02 2011) 192.168.153.1 (Fri Sep 02 14:08:02 2011) 192.168.153.1 (Fri Sep 02 14:08:02 2011) 192.168.153.1 (Fri Sep 02 14:08:02 2011) 192.168.153.1 (Fri Sep 02 14:08:03 2011) 192.168.153.1 (Fri Sep 02 14:08:03 2011) 192.168.153.1 (Fri Sep 02 14:08:03 2011) 192.168.153.1 (Fri Sep 02 14:08:03 2011) 192.168.153.1 (Fri Sep 02 14:08:03 2011) 192.168.153.1 (Fri Sep 02 14:08:04 2011) 192.168.153.1 (Fri Sep 02 14:08:04 2011) 192.168.153.1 (Fri Sep 02 14:08:05 2011) 192.168.153.1 (Fri Sep 02 14:08:05 2011) 192.168.153.1 (Fri Sep 02 14:08:05 2011) 192.168.153.1 (Fri Sep 02 14:08:05 2011) 192.168.153.1 (Fri Sep 02 14:08:05 2011) 192.168.153.1 (Fri Sep 02 14:08:05 2011) 192.168.153.1 (Fri Sep 02 14:08:08 2011) 192.168.153.1 (Fri Sep 02 14:08:09 2011) 192.168.153.1 (Fri Sep 02 14:08:10 2011) 192.168.153.1 (Fri Sep 02 14:08:10 2011) 192.168.153.1 (Fri Sep 02 14:08:10 2011) 192.168.153.1 (Fri Sep 02 14:08:10 2011) 192.168.153.1 (Fri Sep 02 14:08:11 2011) 192.168.153.1 (Fri Sep 02 14:08:11 2011) 192.168.153.1 (Fri Sep 02 14:08:11 2011) 192.168.153.1 (Fri Sep 02 14:08:11 2011) 192.168.153.1 (Fri Sep 02 14:08:12 2011) 192.168.153.1 (Fri Sep 02 14:08:12 2011) [2] [3] Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 240 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 60

我有同样的问题 – 事实certificate,这是一个时区问题。

当syslogd / sshd启动时,我在GMT时间,所以/ var / log / secure和/ var / log / messages在GMT中写了他们的时间戳。 但是,我把tzdata固定到我的本地时区,然后启动fail2ban。 现在fail2ban被混淆了,因为所有的事件都比它的时间早了7个小时,因此不在“findtime”范围内。

简单的解决scheme是简单地重新启动syslogd和sshd,以便他们能够select新的时区。 现在fail2ban块像冠军。

从源代码编译fail2ban后,它工作。 看起来像我用apt-get安装的debian软件包fail2ban仍然是一个错误的开发版本。