Regex
多個 sshd 的正則表達式從…收到斷開連接preauthpr和一種在噸Hpreauth
什麼 fail2ban 正則表達式會擷取這樣的日誌?
Apr 9 08:48:28 server sshd[1856]: Received disconnect from 43.255.190.117: 11: [preauth] Apr 9 09:06:05 server sshd[1936]: Received disconnect from 43.255.191.159: 11: [preauth] Apr 9 09:06:10 server sshd[1938]: Received disconnect from 43.255.190.126: 11: [preauth] Apr 9 09:31:12 server sshd[2005]: Received disconnect from 43.255.190.123: 11: [preauth] Apr 9 09:37:06 server sshd[2013]: Received disconnect from 43.255.190.149: 11: [preauth] Apr 9 09:53:55 server sshd[2036]: Received disconnect from 43.255.190.149: 11: [preauth] Apr 9 10:16:59 server sshd[2368]: Received disconnect from 43.255.190.165: 11: [preauth] Apr 9 10:47:30 server sshd[3800]: Received disconnect from 43.255.190.150: 11: [preauth] Apr 9 11:04:01 server sshd[6855]: Received disconnect from 43.255.190.131: 11: [preauth]
和/或與再見
Apr 9 12:29:59 server sshd[7764]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:00 server sshd[7766]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:01 server sshd[7768]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:03 server sshd[7776]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:04 server sshd[7778]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:05 server sshd[7780]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:06 server sshd[7782]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:07 server sshd[7784]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:08 server sshd[7786]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:10 server sshd[7788]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:11 server sshd[7790]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:12 server sshd[7792]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:13 server sshd[7794]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:14 server sshd[7796]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:15 server sshd[7798]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth] Apr 9 12:30:17 server sshd[7800]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
無論這些人在做什麼,我都想要一個 fail2ban 規則。顯然,儘管嘗試的頻率很高,但他們並沒有做任何其他事情來觸發 fail2ban。
您可以使用此規則:
^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$
要使用
fail2ban-regex
或 egrep 對其進行測試,您可以^%(__prefix_line)s
從一開始就去掉它。將此行添加failregex
到/etc/fail2ban/filter.d/sshd.conf
.執行 with
fail2ban-regex
給了我這些結果,確認規則匹配:Running tests ============= Use regex file : sshd.conf Use log file : /var/log/auth.log Results ======= Failregex |- Regular expressions: [...] | [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$ | `- Number of matches: [...] [11] 545 match(es) [...]