Linux
即使fail2ban-regex 建議它應該工作,我的自定義fail2ban 監獄也無法載入?
我在 fail2ban 中編寫了一個自定義監獄和過濾器,用於登錄我的服務。日誌文件位於
/var/log/motion/motion.log
並且登錄失敗會生成如下行:[0:ml1] [ALR] [STR] [Nov 02 11:42:59] handle_basic_auth: motion-stream - failed auth attempt from <ip>
我的監獄
/etc/fail2ban/jail.local
看起來像這樣:[motion-auth] enabled = true port = 8008 filter = motion-auth.conf logpath = /var/log/motion/motion.log banaction = %(banaction_allports)s maxretry = 3 findtime = 10800 bantime = 259200
我在
/etc/fail2ban/filter.d
命名中的過濾器motion-auth.conf
如下所示:[Definition] failregex = \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST>
當我執行時
fail2ban-regex /var/log/motion/motion.log /etc/fail2ban/filter.d/motion-auth.conf
,我確認我的過濾器確實按預期執行:Running tests ============= Use failregex filter file : motion-auth, basedir: /etc/fail2ban Use log file : /var/log/motion/motion.log Use encoding : UTF-8 Results ======= Failregex: 186 total |- #) [# of hits] regular expression | 1) [186] \[0:ml1\] \[ALR\] \[STR\] \[.*\] handle_basic_auth: motion-stream - failed auth attempt from <HOST> `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [2640] (?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 2929 lines, 0 ignored, 186 matched, 2743 missed [processed in 1.06 sec]
但是當我嘗試重新載入/重新啟動 fail2ban 以添加我的新過濾器時,我收到如下消息:
Found no accessible config files for 'filter.d/motion-auth.conf' under /etc/fail2ban Unable to read the filter 'motion-auth.conf' Errors in jail 'motion-auth'. Skipping... OK
有誰知道我做錯了什麼?
從 jail.conf 的手冊頁:
篩選
過濾器的名稱 - /etc/fail2ban/filter.d/ 中過濾器的文件名,不帶 .conf/.local 副檔名。只能指定一個過濾器。
Fail2ban 可能正在尋找一個名為
motion-auth.conf.conf
.你的監獄應該是:
[motion-auth] enabled = true port = 8008 filter = motion-auth ...
如果您的過濾器
/etc/fail2ban/filter.d/
與監獄名稱匹配(如此處motion-auth.conf
的 for[motion-auth]
,您無需指定過濾器,它是預設值。