我已经为fail2ban添加了一个xmlrpc监狱,以防止持续的攻击。 apache access.log如下…
191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.80 - - [16/Dec/2016:14:54:21 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.80 - - [16/Dec/2016:14:54:22 +0000] "POST /xmlrpc.php HTTP/1.0" 403 469 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 而我的禁止def的失败如下…
[Definition] failregex = ^<HOST> .*POST .*xmlrpc\.php.* ignoreregex =
这似乎没有匹配,因为xmlrpc在fail2ban日志中没有出现,但是fail2ban没有报告jail是活动的。
我的监狱在我的jail.conf文件中是这样设置的
[xmlrpc] enabled = true filter = xmlrpc action = iptables[name=xmlrpc, port=http, protocol=tcp] logpath = /var/log/apache2/access.log bantime = 43600 maxretry = 0
有人有任何想法,为什么它可能不匹配?
我终于明白了这一点。 事实certificate,我错过了xmlrpc jail安装程序的端口定义。
[xmlrpc] enabled = true filter = xmlrpc port = http,https action = iptables[name=xmlrpc, port=http, protocol=tcp] logpath = /var/log/apache2/access.log bantime = 43600 maxretry = 0
现在完美的作品