先日、CentOS 7にfaile2banを導入しました。
ここで設定したFilterは新たに作成したものです。
デフォルトで用意されているものも幾つかあります。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# ls -l /etc/fail2ban/filter.d/ -rw-r--r-- 1 root root 442 Dec 9 23:36 3proxy.conf -rw-r--r-- 1 root root 3241 Dec 9 23:36 apache-auth.conf -rw-r--r-- 1 root root 2745 Dec 9 23:36 apache-badbots.conf -rw-r--r-- 1 root root 1273 Dec 9 23:36 apache-botsearch.conf -rw-r--r-- 1 root root 813 Dec 9 23:36 apache-common.conf -rw-r--r-- 1 root root 268 Dec 9 23:36 apache-fakegooglebot.conf -rw-r--r-- 1 root root 487 Dec 9 23:36 apache-modsecurity.conf -rw-r--r-- 1 root root 596 Dec 9 23:36 apache-nohome.conf -rw-r--r-- 1 root root 1187 Dec 9 23:36 apache-noscript.conf -rw-r--r-- 1 root root 2000 Dec 9 23:36 apache-overflows.conf -rw-r--r-- 1 root root 346 Dec 9 23:36 apache-pass.conf -rw-r--r-- 1 root root 1014 Dec 9 23:36 apache-shellshock.conf -rw-r--r-- 1 root root 3417 Dec 9 23:36 assp.conf -rw-r--r-- 1 root root 2443 Dec 9 23:36 asterisk.conf -rw-r--r-- 1 root root 520 Dec 9 23:36 botsearch-common.conf -rw-r--r-- 1 root root 1863 Dec 9 23:36 common.conf -rw-r--r-- 1 root root 252 Dec 9 23:36 counter-strike.conf -rw-r--r-- 1 root root 393 Dec 9 23:36 courier-auth.conf -rw-r--r-- 1 root root 490 Dec 9 23:36 courier-smtp.conf -rw-r--r-- 1 root root 443 Dec 9 23:36 cyrus-imap.conf -rw-r--r-- 1 root root 345 Dec 9 23:36 directadmin.conf -rw-r--r-- 1 root root 1875 Dec 9 23:36 dovecot.conf -rw-r--r-- 1 root root 1696 Dec 9 23:36 dropbear.conf -rw-r--r-- 1 root root 557 Dec 9 23:36 drupal-auth.conf -rw-r--r-- 1 root root 1282 Dec 9 23:36 ejabberd-auth.conf -rw-r--r-- 1 root root 423 Dec 9 23:36 exim-common.conf -rw-r--r-- 1 root root 2158 Dec 9 23:36 exim-spam.conf -rw-r--r-- 1 root root 1810 Dec 9 23:36 exim.conf -rw-r--r-- 1 root root 963 Dec 9 23:36 freeswitch.conf -rw-r--r-- 1 root root 1209 Dec 9 23:36 froxlor-auth.conf -rw-r--r-- 1 root root 236 Dec 9 23:36 groupoffice.conf -rw-r--r-- 1 root root 322 Dec 9 23:36 gssftpd.conf -rw-r--r-- 1 root root 512 Dec 9 23:36 guacamole.conf -rw-r--r-- 1 root root 1158 Dec 9 23:36 haproxy-http-auth.conf -rw-r--r-- 1 root root 404 Dec 9 23:36 horde.conf drwxr-xr-x. 2 root root 33 Feb 25 23:30 ignorecommands -rw-r--r-- 1 root root 482 Dec 9 23:36 kerio.conf -rw-r--r-- 1 root root 323 Dec 9 23:36 lighttpd-auth.conf -rw-r--r-- 1 root root 2279 Dec 9 23:36 mongodb-auth.conf -rw-r--r-- 1 root root 773 Dec 9 23:36 monit.conf -rw-r--r-- 1 root root 652 Dec 9 23:36 murmur.conf -rw-r--r-- 1 root root 891 Dec 9 23:36 mysqld-auth.conf -rw-r--r-- 1 root root 400 Dec 9 23:36 nagios.conf -rw-r--r-- 1 root root 1594 Dec 9 23:36 named-refused.conf -rw-r--r-- 1 root root 528 Dec 9 23:36 nginx-botsearch.conf -rw-r--r-- 1 root root 442 Dec 9 23:36 nginx-http-auth.conf -rw-r--r-- 1 root root 1427 Dec 9 23:36 nginx-limit-req.conf -rw-r--r-- 1 root root 707 Dec 9 23:36 nsd.conf -rw-r--r-- 1 root root 459 Dec 9 23:36 openhab.conf -rw-r--r-- 1 root root 495 Dec 9 23:36 openwebmail.conf -rw-r--r-- 1 root root 1905 Dec 9 23:36 oracleims.conf -rw-r--r-- 1 root root 814 Dec 9 23:36 pam-generic.conf -rw-r--r-- 1 root root 568 Dec 9 23:36 perdition.conf -rw-r--r-- 1 root root 834 Dec 9 23:36 php-url-fopen.conf -rw-r--r-- 1 root root 188 Dec 9 23:36 portsentry.conf -rw-r--r-- 1 root root 454 Dec 9 23:36 postfix-rbl.conf -rw-r--r-- 1 root root 482 Dec 9 23:36 postfix-sasl.conf -rw-r--r-- 1 root root 1289 Dec 9 23:36 postfix.conf -rw-r--r-- 1 root root 1216 Dec 9 23:36 proftpd.conf -rw-r--r-- 1 root root 2409 Dec 9 23:36 pure-ftpd.conf -rw-r--r-- 1 root root 795 Dec 9 23:36 qmail.conf -rw-r--r-- 1 root root 1286 Dec 9 23:36 recidive.conf -rw-r--r-- 1 root root 1367 Dec 9 23:36 roundcube-auth.conf -rw-r--r-- 1 root root 821 Dec 9 23:36 screensharingd.conf -rw-r--r-- 1 root root 517 Dec 9 23:36 selinux-common.conf -rw-r--r-- 1 root root 570 Dec 9 23:36 selinux-ssh.conf -rw-r--r-- 1 root root 396 Feb 16 03:37 sendmail-auth.conf -rw-r--r-- 1 root root 2470 Feb 16 03:37 sendmail-reject.conf -rw-r--r-- 1 root root 371 Dec 9 23:36 sieve.conf -rw-r--r-- 1 root root 706 Dec 9 23:36 slapd.conf -rw-r--r-- 1 root root 472 Dec 9 23:36 sogo-auth.conf -rw-r--r-- 1 root root 1094 Dec 9 23:36 solid-pop3d.conf -rw-r--r-- 1 root root 206 Dec 9 23:36 squid.conf -rw-r--r-- 1 root root 199 Dec 9 23:36 squirrelmail.conf -rw-r--r-- 1 root root 761 Dec 9 23:36 sshd-ddos.conf -rw-r--r-- 1 root root 3160 Dec 9 23:36 sshd.conf -rw-r--r-- 1 root root 363 Dec 9 23:36 stunnel.conf -rw-r--r-- 1 root root 645 Dec 9 23:36 suhosin.conf -rw-r--r-- 1 root root 821 Dec 9 23:36 tine20.conf -rw-r--r-- 1 root root 374 Dec 9 23:36 uwimap-auth.conf -rw-r--r-- 1 root root 637 Dec 9 23:36 vsftpd.conf -rw-r--r-- 1 root root 444 Dec 9 23:36 webmin-auth.conf -rw-r--r-- 1 root root 520 Dec 9 23:36 wuftpd.conf -rw-r--r-- 1 root root 503 Dec 9 23:36 xinetd-fail.conf |
これをこのまま利用したり、新たにフィルターを作成して設定します。
新たに作成した場合、意図したフィルターになっているかチェックするコマンドがfail2ban-regexです。
- 文字列を指定
- ログ文字列とフィルター文字列を指定
- ログファイルを指定
- 一致した行を表示
フィルターしたい文字列を指定します。 フィルターと一致するとそのフィルターが表示されます。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# fail2ban-regex 'xxx.xxx.xxx.55 - - [01/May/2017:20:24:53 +0900] "GET /wp-login.php HTTP/1.1"' /etc/fail2ban/filter.d/apache-wplogin.conf Running tests ============= Use failregex filter file : apache-wplogin, basedir: /etc/fail2ban Use single line : xxx.xxx.xxx.55 - - [01/May/2017:20:24:53 +0900] "GE... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 2) [1] ^<HOST>\ \-.*\"GET\ \/wp-login.php HTTP\/1\..*\" `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed |
ログ文字列とフィルター文字列を指定を指定します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# fail2ban-regex 'xxx.xxx.xxx.55 - - [01/May/2017:20:24:53 +0900] "GET /wp-login.php HTTP/1.1"' '^<HOST>\ \-.*\"GET\ \/wp-login.php HTTP\/1\..*\"' Running tests ============= Use failregex line : ^<HOST>\ \-.*\"GET\ \/wp-login.php HTTP\/1\..*\" Use single line : xxx.xxx.xxx.55 - - [01/May/2017:20:24:53 +0900] "GE... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^<HOST>\ \-.*\"GET\ \/wp-login.php HTTP\/1\..*\" `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec] |
ログファイルとフィルターを指定します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-wplogin.conf Running tests ============= Use failregex filter file : apache-wplogin, basedir: /etc/fail2ban Use log file : /var/log/httpd/access_log Use encoding : ANSI_X3.4-1968 Results ======= Failregex: 329 total |- #) [# of hits] regular expression | 1) [142] ^<HOST>\ \-.*\"POST\ \/wp-login.php HTTP\/1\..*\" | 2) [187] ^<HOST>\ \-.*\"GET\ \/wp-login.php HTTP\/1\..*\" `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [4238] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 4238 lines, 0 ignored, 329 matched, 3909 missed [processed in 0.33 sec] Missed line(s): too many to print. Use --print-all-missed to print all 3909 lines |
フィルターと一致した行を表示します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# fail2ban-regex --print-all-matched /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-wplogin.conf Running tests ============= Use failregex filter file : apache-wplogin, basedir: /etc/fail2ban Use log file : /var/log/httpd/access_log Use encoding : ANSI_X3.4-1968 Results ======= Failregex: 329 total |- #) [# of hits] regular expression | 1) [142] ^<HOST>\ \-.*\"POST\ \/wp-login.php HTTP\/1\..*\" | 2) [187] ^<HOST>\ \-.*\"GET\ \/wp-login.php HTTP\/1\..*\" `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [4239] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 4239 lines, 0 ignored, 329 matched, 3910 missed [processed in 0.32 sec] |- Matched line(s): | xxx.xxx.xxx.135 - - [30/Apr/2017:04:12:15 +0900] "GET /wp-login.php HTTP/1.1" 200 3941 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" | xxx.xxx.xxx.205 - - [30/Apr/2017:06:18:55 +0900] "GET /wp-login.php HTTP/1.1" 200 3988 "http://xxx.xxx.xxx/wp-login.php" "Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14" (snip) |
このコマンドがあれば必要とするフィルターも作成しやすくなります。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
FAIL2BAN-REGEX(1) User Commands FAIL2BAN-REGEX(1) NAME fail2ban-regex - test Fail2ban "failregex" option SYNOPSIS fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] DESCRIPTION Fail2Ban reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. This tools can test regular expressions for "fail2ban". LOG: string a string representing a log line filename path to a log file (/var/log/auth.log) "systemd-journal" search systemd journal (systemd-python required) REGEX: string a string representing a 'failregex' filename path to a filter file (filter.d/sshd.conf) IGNOREREGEX: string a string representing an 'ignoreregex' filename path to a filter file (filter.d/sshd.conf) OPTIONS --version show program's version number and exit -h, --help show this help message and exit -d DATEPATTERN, --datepattern=DATEPATTERN set custom pattern used to match date/times -e ENCODING, --encoding=ENCODING File encoding. Default: system locale -r, --raw Raw hosts, don't resolve dns -L MAXLINES, --maxlines=MAXLINES maxlines for multi-line regex -m JOURNALMATCH, --journalmatch=JOURNALMATCH journalctl style matches overriding filter file. "systemd-journal" only -l LOG_LEVEL, --log-level=LOG_LEVEL Log level for the Fail2Ban logger to use -v, --verbose Be verbose in output -D, --debuggex Produce debuggex.com urls for debugging there --print-no-missed Do not print any missed lines --print-no-ignored Do not print any ignored lines --print-all-matched Print all matched lines --print-all-missed Print all missed lines, no matter how many --print-all-ignored Print all ignored lines, no matter how many -t, --log-traceback Enrich log-messages with compressed tracebacks --full-traceback Either to make the tracebacks full, not compressed (as by default) AUTHOR Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. Many contributions by Yaroslav O. Halchenko and Steven Hiscocks. REPORTING BUGS Report bugs to https://github.com/fail2ban/fail2ban/issues COPYRIGHT Copyright (C) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors Copyright of modifications held by their respective authors. Licensed under the GNU General Public License v2 (GPL). SEE ALSO fail2ban-client(1) fail2ban-server(1) fail2ban-regex 0.9.6 December 2016 FAIL2BAN-REGEX(1) |