Fail2Ban 不適用於 http-get-dos 過濾器

因此，當我測試時，一切似乎都正常，但 fail2ban 未能禁止甚至在訪問日誌中看到任何 IP 地址。

這是我的設置：

在 jail.local 我有：

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos 
logpath = /var/log/httpd/access_log
maxretry = 10
findtime = 120
bantime = -1
action = iptables[name=HTTP, port=http, protocol=tcp]

在 http-get-dos.conf 我有：

[Definition]
failregex = ^<HOST> -.*\"(GET|POST).*
ignoreregex =

執行 fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/http-get-dos.conf 我得到：

Running tests
=============

Use   failregex filter file : http-get-dos, basedir: /etc/fail2ban
Use         log file : /var/log/httpd/access_log
Use         encoding : UTF-8


Results
=======

Failregex: 3586 total
|-  #) [# of hits] regular expression
|   1) [3586] ^<HOST> -.*\"(GET|POST).*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3601] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 3601 lines, 0 ignored, 3586 matched, 15 missed
[processed in 0.38 sec]

|- Missed line(s):
|  77.72.83.87 - - [13/Jan/2019:11:01:23 +0000] "\x03" 400 226 "-" "-"
|  122.112.227.18 - - [13/Jan/2019:12:34:51 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
|  181.22.180.152 - - [14/Jan/2019:17:56:08 +0000] "-" 408 - "-" "-"
|  89.248.172.90 - - [14/Jan/2019:22:40:15 +0000] "-" 408 - "-" "-"
|  89.248.172.90 - - [14/Jan/2019:22:40:35 +0000] "-" 408 - "-" "-"
|  103.105.59.124 - - [15/Jan/2019:00:44:14 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
|  118.89.138.232 - - [15/Jan/2019:05:12:34 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
|  66.240.205.34 - - [15/Jan/2019:23:48:20 +0000] "Gh0st\xad" 400 226 "-" "-"
|  129.204.78.36 - - [16/Jan/2019:05:57:50 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
|  104.128.144.131 - - [16/Jan/2019:19:06:23 +0000] "HEAD /redirect.php HTTP/1.0" 404 - "-" "www.probethenet.com scanner"
|  59.36.132.222 - - [16/Jan/2019:20:42:28 +0000] "CONNECT www.baidu.com:443 HTTP/1.1" 301 229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
|  123.200.24.163 - - [17/Jan/2019:08:46:30 +0000] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
|  79.115.160.167 - - [17/Jan/2019:22:36:03 +0000] "-" 408 - "-" "-"
|  ::1 - - [17/Jan/2019:23:08:46 +0000] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) PHP/7.2.13 (internal dummy connection)"
|  79.115.160.167 - - [17/Jan/2019:23:11:51 +0000] "-" 408 - "-" "-"

tail fail2ban.log -f ，我也重新啟動了 fail2ban，這樣你就可以看到發生了什麼：

2019-01-18 00:23:40,655 fail2ban.filter         [15412]: INFO    Set findtime = 120
2019-01-18 00:23:40,667 fail2ban.jail           [15412]: INFO    Jail 'sshd' started
2019-01-18 00:23:40,668 fail2ban.filtersystemd  [15412]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2019-01-18 00:23:40,673 fail2ban.jail           [15412]: INFO    Jail 'http-get-dos' started
2019-01-18 00:23:40,773 fail2ban.actions        [15412]: NOTICE  [sshd] Ban 124.93.228.42
2019-01-18 00:25:22,970 fail2ban.filter         [15412]: INFO    [sshd] Found 129.204.34.155
2019-01-18 00:27:35,921 fail2ban.filter         [15412]: INFO    [sshd] Found 212.237.8.162
2019-01-18 00:27:49,936 fail2ban.filter         [15412]: INFO    [sshd] Found 142.93.190.223
2019-01-18 00:33:00,711 fail2ban.filter         [15412]: INFO    [sshd] Found 106.12.203.146
2019-01-18 00:33:23,489 fail2ban.filter         [15412]: INFO    [sshd] Found 69.194.44.230
2019-01-18 00:35:25,864 fail2ban.server         [15412]: INFO    Stopping all jails
2019-01-18 00:35:26,700 fail2ban.actions        [15412]: NOTICE  [sshd] Unban 124.93.228.42
2019-01-18 00:35:26,925 fail2ban.jail           [15412]: INFO    Jail 'sshd' stopped
2019-01-18 00:35:27,915 fail2ban.jail           [15412]: INFO    Jail 'http-get-dos' stopped
2019-01-18 00:35:27,919 fail2ban.server         [15412]: INFO    Exiting Fail2ban
2019-01-18 00:35:28,106 fail2ban.server         [15592]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-01-18 00:35:28,107 fail2ban.database       [15592]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-01-18 00:35:28,110 fail2ban.jail           [15592]: INFO    Creating new jail 'sshd'
2019-01-18 00:35:28,129 fail2ban.jail           [15592]: INFO    Jail 'sshd' uses systemd {}
2019-01-18 00:35:28,144 fail2ban.jail           [15592]: INFO    Initiated 'systemd' backend
2019-01-18 00:35:28,145 fail2ban.filter         [15592]: INFO    Set maxRetry = 5
2019-01-18 00:35:28,146 fail2ban.filter         [15592]: INFO    Set jail log file encoding to UTF-8
2019-01-18 00:35:28,146 fail2ban.actions        [15592]: INFO    Set banTime = -1
2019-01-18 00:35:28,146 fail2ban.filter         [15592]: INFO    Set findtime = 600
2019-01-18 00:35:28,146 fail2ban.filter         [15592]: INFO    Set maxlines = 10
2019-01-18 00:35:28,203 fail2ban.filtersystemd  [15592]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2019-01-18 00:35:28,210 fail2ban.jail           [15592]: INFO    Creating new jail 'http-get-dos'
2019-01-18 00:35:28,210 fail2ban.jail           [15592]: INFO    Jail 'http-get-dos' uses systemd {}
2019-01-18 00:35:28,211 fail2ban.jail           [15592]: INFO    Initiated 'systemd' backend
2019-01-18 00:35:28,212 fail2ban.filter         [15592]: INFO    Set maxRetry = 10
2019-01-18 00:35:28,212 fail2ban.filter         [15592]: INFO    Set jail log file encoding to UTF-8
2019-01-18 00:35:28,213 fail2ban.actions        [15592]: INFO    Set banTime = -1
2019-01-18 00:35:28,213 fail2ban.filter         [15592]: INFO    Set findtime = 120
2019-01-18 00:35:28,222 fail2ban.filter         [15592]: INFO    [sshd] Found 212.237.8.162
2019-01-18 00:35:28,224 fail2ban.filter         [15592]: INFO    [sshd] Found 142.93.190.223
2019-01-18 00:35:28,229 fail2ban.filter         [15592]: INFO    [sshd] Found 106.12.203.146
2019-01-18 00:35:28,232 fail2ban.filter         [15592]: INFO    [sshd] Found 69.194.44.230
2019-01-18 00:35:28,238 fail2ban.jail           [15592]: INFO    Jail 'sshd' started
2019-01-18 00:35:28,239 fail2ban.filtersystemd  [15592]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2019-01-18 00:35:28,242 fail2ban.jail           [15592]: INFO    Jail 'http-get-dos' started
2019-01-18 00:35:28,355 fail2ban.actions        [15592]: NOTICE  [sshd] Ban 124.93.228.42

fail2ban-client 狀態和 fail2ban-client 狀態 http-get-dos

Status
|- Number of jail:  2
`- Jail list:   http-get-dos, sshd

|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- Journal matches:  
`- Actions
  |- Currently banned: 0
  |- Total banned: 0
  `- Banned IP list:   

所以從我所看到的一切似乎都在工作，肯定 sshd 過濾器正在工作，但這個 http-get-dos 過濾器根本不起作用，但是當我執行 ail2ban-regex /var/log/httpd/ 時我沒有問題access_log /etc/fail2ban/filter.d/http-get-dos.conf

我在數字海洋和 Fail2Ban v0.9.7 上使用 CentOS 7，並且我還在 jail.local 中將後端更改為 systemd：backend = systemd

有誰知道為什麼這不起作用？升級到Fail2ban v0.11.0.dev3 還是一樣的問題。

我還在 jail.local 中將後端更改為 systemd：backend = systemd

好吧，這可能是原因 - 如果您配置了 systemd 後端，fail2ban 將監視 systemd-journal（而不是日誌文件）。

只需嘗試為登錄日誌文件的服務監獄重新配置它：

[http-get-dos]
backend = auto

順便說一句，在 2 分鐘內持續禁止 10 個請求對我來說似乎很難，尤其是它似乎擷取了每個請求（我沒有看到像[45]0\d您的正則表達式中那樣覆蓋狀態程式碼的部分）。

引用自：https://serverfault.com/questions/949636