fall2ban은 잘못된 SSH 시도에서는 제대로 작동하지만 잘못된 Apache2 시도에서는 실패합니다.

tag-icon tag-icon apache-httpd fail2ban
fall2ban은 잘못된 SSH 시도에서는 제대로 작동하지만 잘못된 Apache2 시도에서는 실패합니다.

저는 데비안 리눅스를 사용하고 있습니다. uname --all보여주다:

Linux xxx.xx 2.6.32-5-686 #1 SMP Tue May 13 16:33:32 UTC 2014 i686 GNU/Linux

내가 실행 중인 포트 sshd는 22가 아닙니다. /etc/fail2ban/jail.local새 포트를 가리키도록 업데이트했습니다 sshd. 좋은 결과. SSH 클라이언트를 사용하여 포트에 로그인을 시도하고 잘못된 비밀번호를 여러 번 입력하면 iptables를 통해 IP 주소가 잠길 수 있습니다.

그러나 나는 Apache 웹 서버도 실행하고 있으며 항상 다음과 같은 시도의 영향을 받습니다( /var/log/apache2/error.log).

[Sun Nov 02 08:03:13 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/muieblackcat
[Sun Nov 02 08:03:14 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpMyAdmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpmyadmin
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/pma
[Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/myadmin
[Sun Nov 02 08:03:17 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/MyAdmin

error.log를 읽고 iptables를 통해 문제가 되는 IP 주소를 금지하도록 Fail2ban을 설정하려고 하는데 제대로 작동하지 않습니다.

내가 말했듯이 SSH에서는 잘 작동하지만 Apache에서는 작동하지 않습니다. 이곳은 내 지역 감옥입니다.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 67.159.128.0/19
# bantime = 21600 == 6 hours
bantime  = 21600

#findtime, in seconds.  300 = 5 minutes, 10800 = 3 hours
findtime = 10800
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=

%(logpath)s]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in     

jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

# we are banning port xxxxx instead of ssh because I use port xxxxx instead
[ssh]

enabled = true
port    = xxxxx
filter  = sshd
logpath  = /var/log/auth.log
findtime = 300
maxretry = 4

#
# HTTP servers
#

[apache]

enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 3

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = true
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache2/*error.log
findtime = 300
maxretry  = 3

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 4

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache2/*error.log
findtime = 300
maxretry = 2

[apache-misc]

enabled = true
port = http,https
filter = apache-misc
logpath = /var/log/apache2/*error.log
findtime = 10800
maxretry = 2

이것은 내 /etc/fail2ban/apache-misc 파일입니다:

[Definition]

failregex = <HOST>.*"[A-Z]* /(cms|user|muieblackcat|db|cpcommerce|wp-login|joomla|    awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|    mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*"
        <HOST>.*\" (502|500|417|416|415|414|413|412|404|405|403|401|400)

ignoreregex = .*\"GET \/(press|mailto|domestic|word).*

누구든지 조언을 해줄 수 있나요?

답변1

다음과 같은 권장 구문을 사용하여 정규식 조건의 작은 하위 집합으로 시작하는 것이 좋습니다.

failregex = [[]client (?P<host>\S*)[]] File does not exist: .*/(muieblackcat|phpmyadmin)

언제든지 이를 기반으로 구축하고 정규식을 쉽게 테스트할 수 있습니다. 변경 후에는 pass2ban을 다시 로드하는 것을 잊지 마세요.

관련 정보