简短摘要:
我试图在监视docker容器中的流量的主机上配置fail2ban。我的fail2ban匹配,而fail2ban确实禁止了ip地址。但它禁止的IP地址是错误的?
设置和诊断
jail.local中的示例代码段
[php-custom]
enabled = true
port = http,https
filter = php-custom
logpath = /var/lib/docker/containers/*/*-json.log
maxrety = 0
bantime = 8640000
我的自定义php-custom.conf过滤规则:(我试图禁止任何PHP,因为我正在运行.net应用程序):
[Definition]
failregex = ^{"log":".*<HOST>.*(GET|POST).*(.php).*$
ignoreregex =
我试图阻止/禁止可怕的垃圾邮件流量:
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:40 +0000] \"GET /phpMyadmin_bak/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:40.24318153Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:40 +0000] \"GET /www/phpMyAdmin/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:40.823999106Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:42 +0000] \"GET /tools/phpMyAdmin/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:42.495745595Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:42 +0000] \"GET /phpmyadmin-old/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:42.686355079Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:42 +0000] \"GET /phpMyAdminold/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:42.876219111Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:43 +0000] \"GET /phpMyAdmin.old/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:43.0685648Z"}
{"log":"127.0.0.1 47.95.1.195 - - [05/Jul/2018:21:42:43 +0000] \"GET /pma-old/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-05T21:42:43.258384519Z"}
当我用fail2ban-regex测试时,见下文,N.B 127.0.0.1不是我的真实IP地址。
fail2ban-regex '{"log":"127.0.0.1 118.24.11.172 - - [07/Jul/2018:06:15:10 +0000] \"GET /mysql-admin/index.php HTTP/1.1\" 503 213 \"-\" \"Mozilla/5.0\"\n","stream":"stdout","time":"2018-07-07T06:15:10.68 3403757Z"}' '^{"log":".*<HOST>.*(GET|POST).*(.php).*$'
我得到的输出:
Running tests
=============
Use failregex line : ^{"log":".*<HOST>.*(GET|POST).*(.php).*$
Use single line : {"log":"127.0.0.1 118.24.11.172 - - [07/Jul/2...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^{"log":".*<HOST>.*(GET|POST).*(.php).*$
| 0.0.0.2 Sat Jul 07 06:15:10 2018
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]
它似乎匹配,但它似乎说匹配的IP地址是0.0.0.2 Sat Jul 07 06:15:10 2018 ??
我让这个设置运行一段时间,因为我认为它正在工作,当通过运行fail2ban-client status php-custom检查状态时,我得到以下内容:
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/lib/docker/containers/016ef4731565527d407a552af9bfe5cf3ec3623117b40a34ed09e9fb5b2ffb00/ 016ef4731565527d407a552af9bfe5cf3ec3623117b40a34ed09e9fb5b2ffb00-json.log
`- Actions
|- Currently banned: 5
|- Total banned: 5
`- Banned IP list: 0.0.0.1 0.0.0.2 0.0.0.4 0.0.0.8 0.0.0.9
i.p地址似乎都是0.0.0.1和0.0.0.2等?
我期待它应该是实际的IP地址,因为我仍然得到垃圾邮件流量。
任何建议或帮助,因为我是fail2ban和docker的新手,我将不胜感激。
我建议配置nginx,以便不记录经常收到404消息的这些位置周围的任何内容。这样,保存写入日志的CPU和磁盘IO可以用于真正的访问者。
当您不需要fail2ban扫描日志时,也会保存CPU / IO时间。
每个真正的访问者都会受到IP / nftables规则的限制,从而减慢他们的访问速度。
您还可以省去查看日志的痛苦,并专注于互联网的背景噪音,而不是您关心的真实访客。
你的正则表达式也是过于广泛的probably susceptible to DoS attacks。
我经历过同样的经历。问题以及我如何修复它是一个不正确的过滤器正则表达式。很难发现,但主机解析只是IP地址的最后一位(因此你的随机0.0.0.X)。 Fail2ban以某种方式获取数字并使其成为0.0.0.X IP地址。一旦我修复了正则表达式,正确的IP就开始流动了。
作为旁注 - 解决这个问题对我来说不是结束。最后一个障碍是fail2ban似乎正在工作并禁止正确的IP地址,但是后面的服务(在你的情况下为php,我的mysql)仍在接收流氓流量。为此你需要考虑这个人写的东西(帮了我很多):LINK
希望这可以帮助!