服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 修改fail2ban failregex以通过ssh匹配失败的公钥authentication
Intereting Posts
SPFloggingvalidation – 只有最好的猜测 使用nginx重写从url中删除ID或号码 用于Windows Server 2008的最佳MySQL备份工具/调度程序 GPO – 在域计算机上为非域用户映射的驱动器 设置Linux Ubuntu服务器来提供Samba,AFP和Windows漫游configuration文件 内容提供:SHOUTcast的替代品 活动目录域控制器 Nginx和If-Modified-Since / If-None-Match头 将命令绑定到ssh 如何从不同的体系结构中包含Debian仓库 nginxdynamic虚拟主机 jenkins无法连接到git存储库 (Debian)初始化脚本自动重生? 阻止Google Chrome的安装 远离Win 7工作站到Fedora 14沙箱

修改fail2ban failregex以通过ssh匹配失败的公钥authentication

fail2ban不能识别失败的公钥sshlogin,我认为这可以通过修改/etc/fail2ban/filter.d/sshd.configfailregex来解决,以匹配下面一行: 

 <date> <time> <server-hostname> sshd[25917]: Connection closed by <client-ip> [preauth]

但是我无法find一个正确的介绍如何正确修改failregex。 由于我不知道诸如^%(__prefix_line)s这样的variables^%(__prefix_line)s包含很难得到一个正常工作的正则expression式

据我所知,最新版本0.9.1包含正确的“正在连接closures[preauth]”行,但我使用从Debian存储库fai2ban和0.9.1的configuration是不兼容的一个我有。

这条线是这样做的: 

 ^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$

使用以下日志string进行testing: 

 Apr 29 12:30:12 sendai sshd[25917]: Connection closed by 127.0.0.1 [preauth]

成功通过以下testing: 

 $ fail2ban-regex ~/ssh.log sshd.conf Running tests ============= Use regex file : sshd.conf Use log file : /home/user/ssh.log Results ======= Failregex |- Regular expressions: [...] | [12] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Connection closed by <HOST> \[preauth\]$ | `- Number of matches: [...] [12] 1 match(es) Summary ======= Addresses found: [...] [12] 127.0.0.1 (Wed Apr 29 12:30:12 2015) [..] Success, the total number of match is 1

至less在openssh 7.3中,日志消息还包含一个端口号。 所以我不得不修改sebix的解决scheme如下: 

 ^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$

对我来说,这样做效果更好,因为我得到了大量的合法日志条目,至less在OpenSSH 6.6.1版本中与“Connection closed”正则expression式匹配。 相信它也涵盖了新的OpenSSH日志格式,其中包括“端口”: 

 ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$ ^%(__prefix_line)sReceived disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$ $ cat /etc/*relea* | grep -i desc DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS" $ fail2ban-regex /var/log/auth.log filter.d/sshd.conf Running tests ============= Use failregex file : filter.d/sshd.conf Use log file : /var/log/auth.log Results ======= Failregex: 39 total |- #) [# of hits] regular expression | 12) [16] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Did not receive identification string from <HOST>\s*$ | 13) [23] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Received disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [62412] MONTH Day Hour:Minute:Second `- Lines: 62412 lines, 0 ignored, 39 matched, 62373 missed Missed line(s):: too many to print. Use --print-all-missed to print all 62373 lines $ grep "Did not receive identification string from" /var/log/auth.log | wc -l 16 $ grep "Received disconnect from" /var/log/auth.log | grep -v xxxx | wc -l 23