Fail2ban

MongoDB的Fail2ban過濾器

  • August 11, 2021

Fail2Ban 版本:0.10.2

我嘗試了很多用於 MongoDB 遠端身份驗證失敗的過濾器配置文件,但它們都沒有工作,我認為問題出在 failregex 上,我無法提出正確的正則表達式。

{"$date":"2021-08-10T17:27:13.498+05:30"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn187","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-256","speculative":true,"principalName":"Admin","authenticationDatabase":"admin","remote":"123.456.789.123:60054","extraInfo":{},"error":"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch"}}

這是我在嘗試失敗時得到的 mongo 日誌。我曾嘗試在正則表達式中使用 <HOST>、<ADDR>,但 <HOST> 給出 0.0.0.0 而 <ADDR> 給出 3:6005(IP 的最後一位數字和埠的 4 位數字)。

過濾此日誌的正確正則表達式是什麼?

正則表達式我試過

^(.*Authentication failed.*)|(.*&lt;ADDR&gt;.*)|$
^(.*Authentication failed.*)|(.*&lt;HOST&gt;.*)|$
  1. https://github.com/fail2ban/fail2ban/issues/2932
  2. https://github.com/fail2ban/fail2ban/issues/3046

不久:

[Definition]

datepattern = ^\{"t":\{"\$date":"%%Y-%%m-%%dT%%H:%%M:%%S\.%%f%%z"}\s*,\s*
_groupre = (?:"(?!(?:msg|attr|client|remote)\b)\w+":(?:"[^"]+"|\w+)\s*[,\}]\s*)
failregex = ^%(_groupre)s*"msg":"Authentication failed"\s*,\s*%(_groupre)s*"attr"\s*:\s*\{&#37;(_groupre)s*"(?:client|remote)":"&lt;ADDR&gt;:\d+"

引用自:https://serverfault.com/questions/1074093