Log-Files

fail2ban 中的漏行是什麼?

  • March 2, 2020

昨天我的日誌文件中有數百萬行這樣的行:

Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port 50306
Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification '\003' from 54.37.78.250 port 50530
Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification '\003' from 54.37.78.250 port 50696
Feb 25 18:00:00 mond2 sshd[29577]: Bad protocol version identification '\003' from 54.37.78.250 port 50857
Feb 25 18:00:00 mond2 sshd[29578]: Bad protocol version identification '\003' from 54.37.78.250 port 51032
Feb 25 18:00:01 mond2 sshd[29579]: Bad protocol version identification '\003' from 54.37.78.250 port 51213
Feb 25 18:00:01 mond2 sshd[29580]: Bad protocol version identification '\003' from 54.37.78.250 port 51427
Feb 25 18:00:01 mond2 sshd[29584]: Bad protocol version identification '\003' from 54.37.78.250 port 51642
Feb 25 18:00:01 mond2 sshd[29585]: Bad protocol version identification '\003' from 54.37.78.250 port 51809
Feb 25 18:00:01 mond2 sshd[29586]: Bad protocol version identification '\003' from 54.37.78.250 port 51970

我想通過為它創建一個新的監獄來用 fail2ban 抓住他們。但沒有任何效果。現在我嘗試了正則表達式測試器,它告訴我:

fail2ban-regex /var/log/auth.log.test "^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port"

Running tests
=============

Use   failregex line : ^%(__prefix_line)sBad protocol version identificat...
Use         log file : /var/log/auth.log.test
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [10] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 10 lines, 0 ignored, 0 matched, 10 missed [processed in 0.00 sec]
|- Missed line(s):
|  Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port 50306
|  Feb 25 18:00:00 mond2 sshd[29575]: Bad protocol version identification '\003' from 54.37.78.250 port 50530
|  Feb 25 18:00:00 mond2 sshd[29576]: Bad protocol version identification '\003' from 54.37.78.250 port 50696
|  Feb 25 18:00:00 mond2 sshd[29577]: Bad protocol version identification '\003' from 54.37.78.250 port 50857
|  Feb 25 18:00:00 mond2 sshd[29578]: Bad protocol version identification '\003' from 54.37.78.250 port 51032
|  Feb 25 18:00:01 mond2 sshd[29579]: Bad protocol version identification '\003' from 54.37.78.250 port 51213
|  Feb 25 18:00:01 mond2 sshd[29580]: Bad protocol version identification '\003' from 54.37.78.250 port 51427
|  Feb 25 18:00:01 mond2 sshd[29584]: Bad protocol version identification '\003' from 54.37.78.250 port 51642
|  Feb 25 18:00:01 mond2 sshd[29585]: Bad protocol version identification '\003' from 54.37.78.250 port 51809
|  Feb 25 18:00:01 mond2 sshd[29586]: Bad protocol version identification '\003' from 54.37.78.250 port 51970
`-

所以它顯然不知道我想要什麼。這甚至意味著什麼,線路被遺漏了?是不是看的不仔細,忘記了剛才讀到的內容?它是否讀得太快而無法實際處理它所讀的內容?我不明白,網路也不明白。對此有什麼解釋嗎?

我該怎麼做才能匹配和禁止這些日誌行?

這是我開始使用的正則表達式,不知道它是否好:

failregex = ^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port \d+\s*$

我在 Ubuntu 16.04 上有 Fail2Ban v0.9.3。

我又玩了一些以找到可行的解決方案。我唯一能找到的是刪除我添加的所有內容,只將其添加到sshd監獄中,在jail.local

failregex = ^\s*\S+\s+sshd\[\d+\]: Bad protocol version identification '.*?' from <HOST> port

這似乎有效。當我連接 netcat 並輸入一些文本時,會顯示相關的日誌行並將fail2ban-client status sshd失敗的計數器加 1。我不確定,因為還有其他攻擊正在進行(通常的背景噪音)。

正則表達式中的關鍵變化是不要過度指定“辨識”之後的部分。

我有點生疏,但missed lines指的是與您的正則表達式不匹配的行。

以下命令將顯示日誌中匹配和遺漏的行:

fail2ban-regex --print-all-missed /var/log/auth.log.test "^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port"

據我記得,每一行都會有一個前綴表示HIT:正則表達式是否匹配以及MISS:是否不匹配。

編輯

現在坐在電腦前,試圖調試你的語句。

首先,也許正則表達式有點短?因為正則表達式不匹配整行。

據我所知,正則表達式匹配:

Feb 25 18:00:00 mond2 sshd[29574]: Bad protocol version identification '\003' from 54.37.78.250 port50306

注意到我沒有標記埠號。

如果你擴展了正則表達式,它會說:

^%(__prefix_line)sBad protocol version identification '\\\d+' from <HOST> port \d+

嗯…用我自己的伺服器嘗試了測試日誌,但仍然沒有用。懷疑該__prefix_line部分與“錯誤協議”之前的所有內容都不匹配。

引用自:https://serverfault.com/questions/1004808