Linux

即使fail2ban-regex 建議它應該工作,我的自定義fail2ban 監獄也無法載入?

  • November 6, 2021

我在 fail2ban 中編寫了一個自定義監獄和過濾器,用於登錄我的服務。日誌文件位於/var/log/motion/motion.log並且登錄失敗會生成如下行:

[0:ml1] [ALR] [STR] [Nov 02 11:42:59] handle_basic_auth: motion-stream - failed auth attempt from <ip>

我的監獄/etc/fail2ban/jail.local看起來像這樣:

[motion-auth]

enabled = true
port     = 8008
filter = motion-auth.conf
logpath  = /var/log/motion/motion.log
banaction = %(banaction_allports)s
maxretry = 3
findtime = 10800
bantime = 259200

我在/etc/fail2ban/filter.d命名中的過濾器motion-auth.conf如下所示:

[Definition]
failregex = \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>

當我執行時fail2ban-regex /var/log/motion/motion.log /etc/fail2ban/filter.d/motion-auth.conf,我確認我的過濾器確實按預期執行:

Running tests
=============

Use   failregex filter file : motion-auth, basedir: /etc/fail2ban
Use         log file : /var/log/motion/motion.log
Use         encoding : UTF-8


Results
=======

Failregex: 186 total
|-  #) [# of hits] regular expression
|   1) [186] \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2640] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2929 lines, 0 ignored, 186 matched, 2743 missed
[processed in 1.06 sec]

但是當我嘗試重新載入/重新啟動 fail2ban 以添加我的新過濾器時,我收到如下消息:

Found no accessible config files for 'filter.d/motion-auth.conf' under /etc/fail2ban
Unable to read the filter 'motion-auth.conf'
Errors in jail 'motion-auth'. Skipping...
OK

有誰知道我做錯了什麼?

從 jail.conf 的手冊頁:

篩選

過濾器的名稱 - /etc/fail2ban/filter.d/ 中過濾器的文件名,不帶 .conf/.local 副檔名。只能指定一個過濾器。

Fail2ban 可能正在尋找一個名為motion-auth.conf.conf.

你的監獄應該是:

[motion-auth]

enabled = true
port     = 8008
filter = motion-auth
...

如果您的過濾器/etc/fail2ban/filter.d/與監獄名稱匹配(如此處motion-auth.conf的 for [motion-auth]您無需指定過濾器,它是預設值。

引用自:https://serverfault.com/questions/1082744