Ssh
修改 fail2ban failregex 以通過 ssh 匹配失敗的公鑰身份驗證
fail2ban
無法辨識失敗的公鑰 ssh 登錄,我認為可以通過修改failregex
of/etc/fail2ban/filter.d/sshd.config
以匹配以下行來解決此問題:<date> <time> <server-hostname> sshd[25917]: Connection closed by <client-ip> [preauth]
但我找不到關於如何正確修改所述失敗正則表達式的體面介紹。因為我真的不知道
^%(__prefix_line)s
包含哪些變數,所以很難獲得一個有效的正則表達式。我了解最新版本 0.9.1 包含正則表達式以匹配“連接關閉
$$ preauth $$" 行,但我使用的是 Debian 儲存庫中的 fai2ban,並且 0.9.1 的配置與我的配置不兼容。
這條線做到了:
^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$
使用以下日誌字元串進行測試:
Apr 29 12:30:12 sendai sshd[25917]: Connection closed by 127.0.0.1 [preauth]
成功測試:
$ fail2ban-regex ~/ssh.log sshd.conf Running tests ============= Use regex file : sshd.conf Use log file : /home/user/ssh.log Results ======= Failregex |- Regular expressions: [...] | [12] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Connection closed by <HOST> \[preauth\]$ | `- Number of matches: [...] [12] 1 match(es) Summary ======= Addresses found: [...] [12] 127.0.0.1 (Wed Apr 29 12:30:12 2015) [..] Success, the total number of match is 1