Regex

多個 sshd 的正則表達式從…收到斷開連接preauthpr和一種在噸Hpreauth

  • July 7, 2017

什麼 fail2ban 正則表達式會擷取這樣的日誌?

Apr  9 08:48:28 server sshd[1856]: Received disconnect from 43.255.190.117: 11:  [preauth]
Apr  9 09:06:05 server sshd[1936]: Received disconnect from 43.255.191.159: 11:  [preauth]
Apr  9 09:06:10 server sshd[1938]: Received disconnect from 43.255.190.126: 11:  [preauth]
Apr  9 09:31:12 server sshd[2005]: Received disconnect from 43.255.190.123: 11:  [preauth]
Apr  9 09:37:06 server sshd[2013]: Received disconnect from 43.255.190.149: 11:  [preauth]
Apr  9 09:53:55 server sshd[2036]: Received disconnect from 43.255.190.149: 11:  [preauth]
Apr  9 10:16:59 server sshd[2368]: Received disconnect from 43.255.190.165: 11:  [preauth]
Apr  9 10:47:30 server sshd[3800]: Received disconnect from 43.255.190.150: 11:  [preauth]
Apr  9 11:04:01 server sshd[6855]: Received disconnect from 43.255.190.131: 11:  [preauth]

和/或與再見

Apr  9 12:29:59 server sshd[7764]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:00 server sshd[7766]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:01 server sshd[7768]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:03 server sshd[7776]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:04 server sshd[7778]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:05 server sshd[7780]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:06 server sshd[7782]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:07 server sshd[7784]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:08 server sshd[7786]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:10 server sshd[7788]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:11 server sshd[7790]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:12 server sshd[7792]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:13 server sshd[7794]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:14 server sshd[7796]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:15 server sshd[7798]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:17 server sshd[7800]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]

無論這些人在做什麼,我都想要一個 fail2ban 規則。顯然,儘管嘗試的頻率很高,但他們並沒有做任何其他事情來觸發 fail2ban。

您可以使用此規則:

^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$

要使用fail2ban-regex或 egrep 對其進行測試,您可以^%(__prefix_line)s從一開始就去掉它。將此行添加failregex/etc/fail2ban/filter.d/sshd.conf.

執行 withfail2ban-regex給了我這些結果,確認規則匹配:

Running tests
=============

Use regex file : sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$
|
`- Number of matches:
[...]
  [11] 545 match(es)
[...]

引用自:https://serverfault.com/questions/681703