fail2ban тестирование на фиктивном журнале - PullRequest
Новая
       7

fail2ban тестирование на фиктивном журнале

0 голосов
/ 08 ноября 2018

У меня есть скрипт, который генерирует строку каждые 2 секунды. линии 

172.16.1.1 - - [08/Nov/2018:03:23:19  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:21  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:23  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:25  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:27  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:29  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:31  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:33  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:35  +0700] "POST /wp-login.php HTTP/1.1" 200
172.16.1.1 - - [08/Nov/2018:03:23:37  +0700] "POST /wp-login.php HTTP/1.1" 200

записывает вывод в /opt/wpabuse/172.16.1.1.log

Часовой пояс моего сервера - Азия / Джакарта

Моя тюрьма: 

[apache-wp-login]
enabled=true
filter = apache-wp-login
action = remote-pfsense
logpath = /opt/wpabuse/*.log

Мое действие: 

[Definition]

actionstart = touch /var/run/fail2ban/pfsense.dummy
              printf %%b "<init>\n" >> /var/run/fail2ban/pfsense.dummy

actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/pfsense.dummy
actionunban = printf %%b "-<ip>\n" >> /var/run/fail2ban/pfsense.dummy

[Init]

Мой фильтр: 

[Definition]
failregex = <HOST> - - .* "POST /wp-login.php HTTP/.*" 200

ignoreregex =

Во-первых, я не могу забанить. Запустите фиктивный генератор журналов ... и пока он генерирует строки ... я запускаю fail2ban

fail2ban.log выглядит как 

2018-11-08 10:23:33,265 fail2ban.datedetector   [13048]: DEBUG   Got time 1541622213.000000 for "u'08/Nov/2018:03:23:33'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:33,266 fail2ban.datedetector   [13048]: DEBUG   Sorting the template list
2018-11-08 10:23:33,266 fail2ban.datedetector   [13048]: DEBUG   Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 170 hits
2018-11-08 10:23:35,268 fail2ban.filterpoll     [13048]: DEBUG   /opt/wpabuse/172.16.1.1.log has been modified
2018-11-08 10:23:35,269 fail2ban.datedetector   [13048]: DEBUG   Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:35,269 fail2ban.datedetector   [13048]: DEBUG   Got time 1541622215.000000 for "u'08/Nov/2018:03:23:35'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:35,270 fail2ban.datedetector   [13048]: DEBUG   Sorting the template list
2018-11-08 10:23:35,270 fail2ban.datedetector   [13048]: DEBUG   Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 171 hits
2018-11-08 10:23:37,272 fail2ban.filterpoll     [13048]: DEBUG   /opt/wpabuse/172.16.1.1.log has been modified
2018-11-08 10:23:37,273 fail2ban.datedetector   [13048]: DEBUG   Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:37,273 fail2ban.datedetector   [13048]: DEBUG   Got time 1541622217.000000 for "u'08/Nov/2018:03:23:37'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
2018-11-08 10:23:37,274 fail2ban.datedetector   [13048]: DEBUG   Sorting the template list
2018-11-08 10:23:37,274 fail2ban.datedetector   [13048]: DEBUG   Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 172 hits

Но почему «действие» не сработало?

С уважением -bino-

...