在filter.d中定义好过滤规则,例如:suhosin.conf
[Definition] failregex = suhosin\[\d*\].*\(attacker\s'<HOST>'.* ignoreregex = suhosin\[\d*\].*(memory_limit).*\(attacker\s'<HOST>'.*
日志:
Dec 17 15:51:13 server suhosin[27622]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'action' (attacker '67.210.100.166', file '/bla.php') Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'board' (attacker '67.210.100.166', file '/bla.php') Dec 17 15:51:13 server suhosin[27624]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'topic' (attacker '67.210.100.166', file '/bla.php') Dec 20 18:58:21 server suhosin[4088]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10) Dec 20 18:58:32 server suhosin[4051]: ALERT - script tried to increase memory_limit to 120000000 bytes which is above the allowed value (attacker '123.123.123.123', file '/bla.php', line 10)
如果用这个命令可能会发现忽略的正则没有生效。
fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf
看了说明,原来fail2ban-regex的语法格式类似是这样的。
[ DISCUZ_CODE_59 ]gt; /usr/bin/fail2ban-regex | head Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]
把测试命令写成这样就可以了。。。
fail2ban-regex error.log /etc/fail2ban/filter.d/suhosin.conf /etc/fail2ban/filter.d/suhosin.conf