Пример строки в файле журнала /var/log/openvpnas.log
2017-07-22 01:13:51+0200 [-] OVPN 4 OUT: "Fri Jul 21 23:13:51 2017 62.140.147.120:5414 SENT CONTROL [jeff]: 'AUTH_FAILED' (status=1)"
Я хочу использовать fail2ban, чтобы блокировать ip-adres 62.140.147.120, когда AUTH_FAILED находится в этой строке, как в строке примера. Я часами пытаюсь этого добиться. Ищу в Google. Экспериментируем с регулярными выражениями. Все еще не удается заставить его работать.
Пока мне кажется наиболее логичной строчкой в openvpn.conf:
failregex = ^ ... OVPN 4 OUT: \".* .* .* ..:..:.. .... <HOST>:.* SENT CONTROL .*: \'AUTH_FAILED\' $
Но команда:
fail2ban-regex /var/log/openvpnas.log /etc/fail2ban/filter.d/openvpn.conf
продолжает говорить: 0 совпадает
Кто-нибудь может мне помочь? Какой параметр для «failregex» я должен ввести в openvpn.conf?
Спасибо, Нил.
Вот содержимое моего файла filter.d:
failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
ignoreregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED,SESSION
У меня работает следующий failregex:
failregex = <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
Тестирование с fail2ban-regex дает:
$ fail2ban-regex -v --print-all-matched openvpn.log "<HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*"
Running tests
=============
Use failregex line : <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
Use log file : openvpn.log
Use encoding : UTF-8
Results
=======
Failregex: 7 total
|- #) [# of hits] regular expression
| 1) [7] <HOST>:[0-9]+\sSENT\sCONTROL\s.*?AUTH_FAILED.*
| 31.77.70.2 Mon Mar 26 14:23:23 2018
| 31.77.70.2 Mon Mar 26 14:53:43 2018
| 31.77.70.2 Mon Mar 26 14:54:42 2018
| 31.77.70.2 Mon Mar 26 14:55:09 2018
| 31.77.70.2 Mon Mar 26 15:16:52 2018
| 31.77.70.2 Mon Mar 26 15:19:14 2018
| 31.77.70.2 Mon Mar 26 15:20:59 2018
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [5664] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
| [413] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
| [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] Month/Day/Year:24hour:Minute:Second
| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
| [0] TAI64N
| [0] Epoch
| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
| [0] ^24hour:Minute:Second
| [0] ^<Month/Day/Year2@24hour:Minute:Second>
| [0] ^Year2MonthDay ?24hour:Minute:Second
| [0] MON Day, Year 12hour:Minute:Second AMPM
| [0] ^MON-Day-Year2 24hour:Minute:Second
`-
Lines: 6077 lines, 0 ignored, 7 matched, 6070 missed [processed in 3.84 sec]
|- Matched line(s):
| 2018-03-26 14:23:23+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:23:23 2018 31.77.70.2:58835 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 14:53:43+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:53:43 2018 31.77.70.2:62055 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 14:54:42+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:54:42 2018 31.77.70.2:57913 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 14:55:09+0100 [-] OVPN 4 OUT: "Mon Mar 26 14:55:09 2018 31.77.70.2:58704 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 15:16:52+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:16:52 2018 31.77.70.2:55038 SENT CONTROL [test]: 'AUTH_FAILED' (status=1)"
| 2018-03-26 15:19:14+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:19:14 2018 31.77.70.2:50027 SENT CONTROL [test]: 'AUTH_FAILED,REVOKED: client certificate has been revoked' (status=1)"
| 2018-03-26 15:20:59+0100 [-] OVPN 4 OUT: "Mon Mar 26 15:20:59 2018 31.77.70.2:49564 SENT CONTROL [njarvis]: 'AUTH_FAILED' (status=1)"
`-
Missed line(s): too many to print. Use --print-all-missed to print all 6070 lines