fail2ban 中的漏行是什麼?
昨天我的日誌文件中有數百萬行這樣的行:
Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port 50306 Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification '\003' from 54.37.78.250 port 50530 Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification '\003' from 54.37.78.250 port 50696 Feb 25 18:00:00 mond2 sshd[29577]: Bad protocol version identification '\003' from 54.37.78.250 port 50857 Feb 25 18:00:00 mond2 sshd[29578]: Bad protocol version identification '\003' from 54.37.78.250 port 51032 Feb 25 18:00:01 mond2 sshd[29579]: Bad protocol version identification '\003' from 54.37.78.250 port 51213 Feb 25 18:00:01 mond2 sshd[29580]: Bad protocol version identification '\003' from 54.37.78.250 port 51427 Feb 25 18:00:01 mond2 sshd[29584]: Bad protocol version identification '\003' from 54.37.78.250 port 51642 Feb 25 18:00:01 mond2 sshd[29585]: Bad protocol version identification '\003' from 54.37.78.250 port 51809 Feb 25 18:00:01 mond2 sshd[29586]: Bad protocol version identification '\003' from 54.37.78.250 port 51970
我想通過為它創建一個新的監獄來用 fail2ban 抓住他們。但沒有任何效果。現在我嘗試了正則表達式測試器,它告訴我:
fail2ban-regex /var/log/auth.log.test "^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port" Running tests ============= Use failregex line : ^%(__prefix_line)sBad protocol version identificat... Use log file : /var/log/auth.log.test Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [10] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 10 lines, 0 ignored, 0 matched, 10 missed [processed in 0.00 sec] |- Missed line(s): | Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port 50306 | Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification '\003' from 54.37.78.250 port 50530 | Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification '\003' from 54.37.78.250 port 50696 | Feb 25 18:00:00 mond2 sshd[29577]: Bad protocol version identification '\003' from 54.37.78.250 port 50857 | Feb 25 18:00:00 mond2 sshd[29578]: Bad protocol version identification '\003' from 54.37.78.250 port 51032 | Feb 25 18:00:01 mond2 sshd[29579]: Bad protocol version identification '\003' from 54.37.78.250 port 51213 | Feb 25 18:00:01 mond2 sshd[29580]: Bad protocol version identification '\003' from 54.37.78.250 port 51427 | Feb 25 18:00:01 mond2 sshd[29584]: Bad protocol version identification '\003' from 54.37.78.250 port 51642 | Feb 25 18:00:01 mond2 sshd[29585]: Bad protocol version identification '\003' from 54.37.78.250 port 51809 | Feb 25 18:00:01 mond2 sshd[29586]: Bad protocol version identification '\003' from 54.37.78.250 port 51970 `-
所以它顯然不知道我想要什麼。這甚至意味著什麼,線路被遺漏了?是不是看的不仔細,忘記了剛才讀到的內容?它是否讀得太快而無法實際處理它所讀的內容?我不明白,網路也不明白。對此有什麼解釋嗎?
我該怎麼做才能匹配和禁止這些日誌行?
這是我開始使用的正則表達式,不知道它是否好:
failregex = ^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port \d+\s*$
我在 Ubuntu 16.04 上有 Fail2Ban v0.9.3。
我又玩了一些以找到可行的解決方案。我唯一能找到的是刪除我添加的所有內容,只將其添加到
sshd
監獄中,在jail.local
:failregex = ^\s*\S+\s+sshd\[\d+\]: Bad protocol version identification '.*?' from <HOST> port
這似乎有效。當我連接 netcat 並輸入一些文本時,會顯示相關的日誌行並將
fail2ban-client status sshd
失敗的計數器加 1。我不確定,因為還有其他攻擊正在進行(通常的背景噪音)。正則表達式中的關鍵變化是不要過度指定“辨識”之後的部分。
我有點生疏,但
missed lines
指的是與您的正則表達式不匹配的行。以下命令將顯示日誌中匹配和遺漏的行:
fail2ban-regex --print-all-missed /var/log/auth.log.test "^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port"
據我記得,每一行都會有一個前綴表示
HIT:
正則表達式是否匹配以及MISS:
是否不匹配。編輯
現在坐在電腦前,試圖調試你的語句。
首先,也許正則表達式有點短?因為正則表達式不匹配整行。
據我所知,正則表達式匹配:
Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port
50306注意到我沒有標記埠號。
如果你擴展了正則表達式,它會說:
^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port \d+
嗯…用我自己的伺服器嘗試了測試日誌,但仍然沒有用。懷疑該
__prefix_line
部分與“錯誤協議”之前的所有內容都不匹配。