当请求来自powershell攻击时,fail2ban规则不起作用

我有一个情况,来自摩尔多瓦的一些知识产权每天都会发现我的基本身份validation凭借某种types的蛮力攻击。

但是我有一个规则fail2ban应该避免这种情况。 当我尝试使用VPN时,它会起作用。

三次尝试后触发fail2ban的请求示例。 我的要求

2016/07/14 15:10:54 [error] 13937#0: *55700 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 146.185.31.214, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt" 

问题是,来自黑客IP的请求不会触发fail2ban,我不知道为什么。 唯一的区别是referrer:你可以看到。

 2016/07/14 01:54:31 [error] 13913#0: *42558 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/ 

 /etc/fail2ban/filter.d/nginx-http-auth.conf [Definition] failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ ignoreregex = 

 [nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /usr/local/nginx/localhost-error.log maxretry = 3 

所以问题是为什么我的请求触发规则,并且攻击者的请求不是?

日志摘录:

 2016/07/14 01:54:27 [error] 13917#0: *42529 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:27 [error] 13917#0: *42530 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42531 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42532 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42533 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42534 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42535 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42536 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:29 [error] 13917#0: *42539 user "kyivstar" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 

不知道下面它对你来说是否通用(如果是的话,请相应地发表评论),但是你给定的正则expression式不匹配攻击者生成的日志host: ...值,特别是/里面的。

你可以试试这个:

 failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$ ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$