在filter.d中定义好过滤规则,例如:suhosin.conf
[Definition]
failregex = suhosin\[\d*\].*\(attacker\s'<HOST>'.*
ignoreregex = suhosin\[\d*\].*(memory_limit).*\(attacker\s'<HOST>'.*日志:
Dec 17 15:51:13 server suhosin[27622]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'action' (attacker '67.210.100.166', file '/bla.php')
Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'board' (attacker '67.210.100.166', file '/bla.php')
Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'topic' (attacker '67.210.100.166', file '/bla.php')
Dec 20 18:58:21 server suhosin[4088]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10)
Dec 20 18:58:32 server suhosin[4051]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10)如果用这个命令可能会发现忽略的正则没有生效。
fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf看了说明,原来fail2ban-regex的语法格式类似是这样的。
[ DISCUZ_CODE_59 ]gt; /usr/bin/fail2ban-regex | head
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]把测试命令写成这样就可以了。。。
fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf /etc/fail2ban/filter.d/suhosin.conf参考连接:https://github.com/fail2ban/fail2ban/issues/100
正文完
微信搜一搜“奇悦电脑科技”或扫描二维码关注我们
