Ssh

修改 fail2ban failregex 以通過 ssh 匹配失敗的公鑰身份驗證

  • June 19, 2021

fail2ban無法辨識失敗的公鑰 ssh 登錄,我認為可以通過修改failregexof/etc/fail2ban/filter.d/sshd.config以匹配以下行來解決此問題:

<date> <time> <server-hostname> sshd[25917]: Connection closed by <client-ip> [preauth]

但我找不到關於如何正確修改所述失敗正則表達式的體面介紹。因為我真的不知道^%(__prefix_line)s包含哪些變數,所以很難獲得一個有效的正則表達式。

我了解最新版本 0.9.1 包含正則表達式以匹配“連接關閉

$$ preauth $$" 行,但我使用的是 Debian 儲存庫中的 fai2ban,並且 0.9.1 的配置與我的配置不兼容。

這條線做到了:

^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$

使用以下日誌字元串進行測試:

Apr 29 12:30:12 sendai sshd[25917]: Connection closed by 127.0.0.1 [preauth]

成功測試:

$ fail2ban-regex ~/ssh.log sshd.conf 

Running tests
=============

Use regex file : sshd.conf
Use log file   : /home/user/ssh.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [12] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Connection closed by <HOST> \[preauth\]$
|
`- Number of matches:
[...]
  [12] 1 match(es)

Summary
=======

Addresses found:
[...]
[12]
   127.0.0.1 (Wed Apr 29 12:30:12 2015)
[..]

Success, the total number of match is 1

引用自:https://serverfault.com/questions/686422