Nginx

如何忽略事件源日誌

  • December 11, 2018

我有一個定期執行的事件源。問題是,http-get-dos如果使用者長時間打開選項卡,fail2ban 將擷取 IP。

所以,我在想,如何在 ningx 中禁用這種類型的特定登錄?另一種方法是將fail2ban 配置為忽略此模式。

"GET /users/stream HTTP/2.0"

我願意在 nginx 或 fail2ban 中實現。

可能相應地更改此行 /etc/fail2ban/filter.d/http-get-dos.conf 是最直接的方法:

failregex = ^<HOST> -.*"(GET|POST).*

更新(/etc/fail2ban/filter.d/http-get-dos.conf):

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =

##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath  = /usr/local/nginx/localhost-access.log
maxretry = 300
findtime = 300
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

**第一次嘗試:**顯然不能使用下面的正則表達式:

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 22431 total
|-  #) [# of hits] regular expression
|   1) [22431] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 0 total

**第二次嘗試:**但可以使用^<HOST> -.*"(GET) /users/stream.*$

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^<HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^<HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 1574 total
|-  #) [# of hits] regular expression
|   1) [1574] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 22093 total
|-  #) [# of hits] regular expression
|   1) [22093] ^<HOST> -.*"(GET) /users/stream.*$
`-

你在正確的軌道上使用

ignoreregex =

在你的指令

/etc/fail2ban/filter.d/http-get-dos.conf

配置文件。這應該只是調整正則表達式的問題。像這樣的東西:

^<HOST> -.*"(GET) /users/stream.*$

它匹配您的日誌文件行,然後匹配任何 GET,並且僅匹配具有 /users/stream 前綴的請求以及附加到它的任何字元串的 GET。

引用自:https://serverfault.com/questions/942682

相關問答

Logging

Fail2ban 正則表達式工作但不禁止。改為 DNS 警告

  • December 15, 2021
檢視問答
Nginx

Fail2ban 禁止不在日誌中的奇數 IP 地址(0.0.0.4、0.0.0.5 等)

  • March 16, 2021
檢視問答
Linux

站點移到負載均衡器後面後,Fail2ban 正則表達式不匹配

  • July 10, 2020
檢視問答
Nginx

Fail2ban 禁止 IP,但直到它已經有數百個請求

  • May 17, 2019
檢視問答
Nginx

哪個 Nginx 日誌文件適用於 fail2ban?

  • April 13, 2016
檢視問答
Nginx

NGINX:位置匹配資產

  • September 10, 2022
檢視問答