Nginx
當請求來自暴力攻擊時,fail2ban 規則不起作用
我有一種情況,來自摩爾多瓦的一些 IP 每天都嘗試通過某種類型的蠻力攻擊來發現我的基本身份驗證憑據。
但是,我有一條關於 fail2ban 的規則,應該避免這種情況。當我嘗試使用 VPN 時它可以工作。
三次嘗試後觸發 fail2ban 的請求範例。我的要求
2016/07/14 15:10:54 [error] 13937#0: *55700 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 146.185.31.214, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt"
問題是,來自黑客IP的請求不會觸發fail2ban,我不知道為什麼。唯一的區別是
referrer:
如您所見。2016/07/14 01:54:31 [error] 13913#0: *42558 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/
/etc/fail2ban/filter.d/nginx-http-auth.conf [Definition] failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ ignoreregex =
[nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /usr/local/nginx/localhost-error.log maxretry = 3
所以問題是為什麼我的請求會觸發規則,而攻擊者的請求不會?
日誌摘錄:
2016/07/14 01:54:27 [error] 13917#0: *42529 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:27 [error] 13917#0: *42530 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42531 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42532 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42533 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42534 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42535 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:28 [error] 13917#0: *42536 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/" 2016/07/14 01:54:29 [error] 13917#0: *42539 user "kyivstar" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
不確定以下是否對您來說太籠統(如果是,請相應地發表評論),但您給定的正則表達式
host: ...
與攻擊者生成的日誌的值不匹配,特別是/
那裡的內部。你可以試試這個:
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$ ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$