Linux

站點移到負載均衡器後面後,Fail2ban 正則表達式不匹配

  • July 10, 2020

我用 nginx 安裝了 fail2ban,它一直在工作,直到我把它移到負載均衡器後面。Bcoz 在負載均衡器後面移動後,我發現日誌中顯示了 2 個 IP。我希望 fail2ban 檢測到第一個 IP 並根據規則阻止它。以下是範例日誌條目:

46.229.168.138, 64.252.86.102 - - [08/Jul/2020:10:55:08 +0530] "GET /telangana/%E0%B0%B0%E0%B0%BE%E0%B0%B7%E0%B1%8D%E0%B0%9F%E0%B1%8D%E0%B0%B0%E0%B0%82%E0%B0%B2%E0%B1%8B-%E0%B0%85%E0%B0%A6%E0%B1%8D%E0%B0%AD%E0%B1%81%E0%B0%A4%E0%B0%AE%E0%B1%88%E0%B0%A8-%E0%B0%AE%E0%B0%BE%E0%B0%B0/ HTTP/1.1" 200 18082 "-" "Amazon CloudFront"

我的 fail2ban 過濾器是:

[Definition]
failregex = <HOST> - - .*(POST|GET) .* HTTP.* 403 .*$
ignoreregex =

我的fail2ban監獄是:

[httpd-forbidden]
enabled = true
filter = httpd-forbidden
logpath = /var/log/nginx/example.com_custom.access.log
bantime = 1800
findtime = 300
maxretry = 50
port = 80,443
banaction = iptables-multiport

請幫助糾正 fail2ban 正則表達式。

如果第一個 ip 是需要禁止的,這應該適用於您的情況

[Definition]
failregex = ^<HOST>,.*"(POST|HEAD|GET|PUT).*HTTP.*" 403 .*$

引用自:https://serverfault.com/questions/1024473