1. 首页
  2. 系统运维
  3. Linux

fail2ban-regex测试ignoreregex没有效果的问题

在filter.d中定义好过滤规则,例如:suhosin.conf

[Definition]
failregex = suhosin\[\d*\].*\(attacker\s'<HOST>'.*
ignoreregex = suhosin\[\d*\].*(memory_limit).*\(attacker\s'<HOST>'.*

日志:

Dec 17 15:51:13 server suhosin[27622]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable      'action' (attacker '67.210.100.166', file '/bla.php')
Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'board' (attacker '67.210.100.166', file '/bla.php')
Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'topic' (attacker '67.210.100.166', file '/bla.php')
Dec 20 18:58:21 server suhosin[4088]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10)
Dec 20 18:58:32 server suhosin[4051]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10)

如果用这个命令可能会发现忽略的正则没有生效。

fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf

看了说明,原来fail2ban-regex的语法格式类似是这样的。

[        DISCUZ_CODE_59        ]gt; /usr/bin/fail2ban-regex | head
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]

把测试命令写成这样就可以了。。。

fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf /etc/fail2ban/filter.d/suhosin.conf

参考连接:https://github.com/fail2ban/fail2ban/issues/100

联系我们

0574-55011290

QQ:248687950

邮件:admin@nbhao.org

工作时间:周一至周五,9:00-18:00,节假日休息

QR code