尝试在 fail2ban 上使用正则表达式阻止访问者

【问题标题】:Trying to block visitors using regex on fail2ban尝试在 fail2ban 上使用正则表达式阻止访问者
【发布时间】:2019-06-24 14:35:00
【问题描述】:

我收到大量对我的 wordpress 中不存在的 PHP 文件的请求。 它们在 nginx 错误日志中显示为以下两个示例:

2019/06/24 03:16:43 [error] 4201#4201: *17573871 FastCGI sent in stderr: "Unable to open primary script: /var/www/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (No such file or directory)" while reading response header from upstream, client: 172.68.189.50, server: mywebsite.net, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "mywebsite.net"
2019/06/24 03:16:43 [error] 4201#4201: *17573871 FastCGI sent in stderr: "Unable to open primary script: /var/www/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (No such file or directory)" while reading response header from upstream, client: 172.68.189.50, server: mywebsite.net, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "mywebsite.net"

我尝试过制作 noscript 过滤器。

在文件 /etc/fail2ban/jail.local 我放了:

[nginx-noscript]

enabled  = true
port     = http,https
filter   = nginx-noscript
logpath  = /var/log/nginx/error.log
maxretry = 2

在文件 /etc/fail2ban/filter.d/nginx-noscript.conf 我放:

[Definition]

failregex = \[error\] \d+#\d+: \*\d+ (FastCGI sent in stderr: "Unable to open primary script:)

ignoreregex =

但是这个过滤器没有捕捉到这些类型的 404。在systemctl restart fail2ban 之后,fail2ban 日志会显示这些错误消息。

2019-06-24 16:11:05,548 fail2ban.filter         [6182]: ERROR   No failure-id group in '\[error\] \d+#\d+: \*\d+ (FastCGI sent in stderr: "Unable to open primary script:)'
2019-06-24 16:11:05,548 fail2ban.transmitter    [6182]: WARNING Command ['set', 'nginx-noscript', 'addfailregex', '\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)'] has failed. Received RegexException('No failure-id group in \'\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)\'',)
2019-06-24 16:11:05,549 fail2ban                [6182]: ERROR   NOK: ('No failure-id group in \'\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)\'',)

我做错了什么。此类 nginx 错误日志的完整正则表达式是什么。

【问题讨论】:

  • 删除 ^$ 锚点,它们需要完整的字符串匹配。
  • 它仍然不起作用@WiktorStribiżew
  • does here.
  • @WiktorStribiżew fail2ban 正则表达式配置中存在其他一些问题。我已经添加了这些错误消息。

标签: regex nginx fail2ban


【解决方案1】:

这应该有效(对于 fail2ban >= 0.10):

failregex = ^\s*\[error\] \d+#\d+: \*\d+ FastCGI sent in stderr: "Unable to open primary script: [^"]*" while reading response header from upstream, client: <ADDR>

如果您有旧版本(0.9 或更低版本),请使用 &lt;HOST&gt; 而不是 &lt;ADDR&gt;(最好使用 usedns = no 禁用 DNS-lookup for jail)。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2013-03-05
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode