WAF IP セットから IP を追加および削除して、AWS インスタンスのウェブサイトに対する悪意のあるリクエストをフィルタリングしようとしています。この問題を解決するためにFail2banを設定しようとしています。
以下はファイルです -
地域刑務所
[my-jail]
enabled = true
filter = my-filter
action = my-action
sendmail-whois[name=Fail2Ban Test, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/apache2/frontend-app-my-org-com-access.log
maxretry = 4
findtime = 60
bantime = 300
journalmatch = _SYSTEMD_UNIT=httpd.service
myactions.conf
[Definition]
actionstart = touch /var/log/fail2ban_debug.log
actionstop = rm -f /var/log/fail2ban_debug.log
actionban = /opt/scripts/ban.sh Ban <ip>
actionunban = /opt/scripts/ban.sh Unban <ip>
注:/opt/scripts/ban.sh
実行可能であり、/opt/scripts/ban.sh Ban 10.10.10.10
手動でテストしたときに期待される結果が得られます。すべてのファイルはユーザーが所有および管理しますroot
。 Fail2banサービスはrootユーザーによっても開始されます。
myfilter.conf
[Definition]
failregex = ^<HOST> - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]
正規表現検査
ログに基づいてフィルタを手動で確認すると機能します。
[root@ip-172-31-89-74 action.d]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log /etc/fail2ban/filter.d/my-filter.conf | grep matched
Lines: 2325 lines, 0 ignored, 2325 matched, 0 missed
丸太
2023-10-16 15:03:08,737 fail2ban.server [9162]: INFO --------------------------------------------------
2023-10-16 15:03:08,737 fail2ban.server [9162]: INFO Starting Fail2ban v0.11.2
2023-10-16 15:03:08,737 fail2ban.server [9162]: DEBUG Creating PID file /var/run/fail2ban/fail2ban.pid
2023-10-16 15:03:08,738 fail2ban.observer [9162]: INFO Observer start...
2023-10-16 15:03:08,738 fail2ban.server [9162]: DEBUG Starting communication
2023-10-16 15:03:08,742 fail2ban.database [9162]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-10-16 15:03:08,742 fail2ban.jail [9162]: INFO Creating new jail 'my-jail'
2023-10-16 15:03:08,748 fail2ban.jail [9162]: INFO Jail 'my-jail' uses systemd {}
2023-10-16 15:03:08,748 fail2ban.filter [9162]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,748 fail2ban.filter [9162]: DEBUG Created FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.filtersystemd [9162]: DEBUG Created FilterSystemd
2023-10-16 15:03:08,749 fail2ban.jail [9162]: INFO Initiated 'systemd' backend
2023-10-16 15:03:08,749 fail2ban.filter [9162]: DEBUG Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.server [9162]: DEBUG failregex: '^<HOST> - - \\[.*\\] \\".*.my-org.*\\" \\".*\\" [4-5][0-9][0-9]'
2023-10-16 15:03:08,750 fail2ban.filtersystemd [9162]: INFO [my-jail] Added journal match for: '_SYSTEMD_UNIT=httpd.service'
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO maxRetry: 4
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO encoding: UTF-8
2023-10-16 15:03:08,750 fail2ban.filter [9162]: INFO findtime: 60
2023-10-16 15:03:08,750 fail2ban.actions [9162]: INFO banTime: 300
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionunban = '/opt/scripts/ban.sh Unban <ip>'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionstop = 'rm -f /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionban = '/opt/scripts/ban.sh Ban <ip>'
2023-10-16 15:03:08,750 fail2ban.CommandAction [9162]: DEBUG Set actionstart = 'touch /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,751 fail2ban.CommandAction [9162]: DEBUG Set actname = 'my-action'
2023-10-16 15:03:08,751 fail2ban.CommandAction [9162]: DEBUG Set name = 'my-jail'
2023-10-16 15:03:08,751 fail2ban.jail [9162]: DEBUG Starting jail 'my-jail'
2023-10-16 15:03:08,753 fail2ban.jail [9162]: INFO Jail 'my-jail' started
2023-10-16 15:03:08,754 fail2ban.transmitter [9162]: DEBUG Status: ready
2023-10-16 15:03:08,756 fail2ban.utils [9162]: DEBUG 7f36b00f7490 -- returned successfully 0
[root@ip-172-31-89-74 action.d]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-10-16 15:03:08 CEST; 35min ago
Docs: man:fail2ban(1)
Process: 8983 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 9160 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 9162 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─9162 /usr/bin/python2 -s /usr/bin/fail2ban-server -xf start
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd[1]: Starting Fail2Ban Service...
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd[1]: Started Fail2Ban Service.
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal fail2ban-server[9162]: Server ready
特定のIPアドレスのbashでテスト
i=0;while true; do echo -e"\n---------------------------------$i-----------------------------\n"; curl -s -L testing.my-org.de/tests
; i=$(($i+1));
これにより、刑務所で予想されるログに行が生成されます。地元の
ログファイルがあり、actionstartが動作することを確認しました。サービスを再起動するたびに電子メールも届きます。私が何かを逃したのでしょうか、それとも何か間違っていますか?
より多くのデータ:
222.222.222.222 - - [16/Oct/2023:22:10:51 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61680 "-" "curl/7.88.1" "" "ea4uh580h9dl7tat34q2d5cjo7"
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61976 "-" "curl/7.88.1" "" "uou7bo5pj4tgp2m9t5kulkmvn2"
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 68577 "-" "curl/7.88.1" "" "m3u0g2s41fa6igphsfecrdbg41"
[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf
Running tests
=============
Use failregex filter file : my-filter, basedir: /etc/fail2ban
Use log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use encoding : UTF-8
Results
=======
Failregex: 2480 total
|- #) [# of hits] regular expression
| 1) [2480] ^<HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2480] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.17 sec]
[root@ip-172-31-89-74 apache2]# vim /etc/fail2ban/filter.d/my-filter.conf
[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf
Running tests
=============
Use failregex filter file : my-filter, basedir: /etc/fail2ban
Use log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use encoding : UTF-8
Results
=======
Failregex: 2480 total
|- #) [# of hits] regular expression
| 1) [2480] ^<HOST> - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2480] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.18 sec]
答え1
すでに答えたようにhttps://superuser.com/a/1813168/1131979:
fail2ban-regex
フィルタ/失敗正規表現のみをテストします。他の人はいません。Jail 'my-jail' uses systemd
fall2banは、ログファイルではなくシステムログ(おそらくデフォルトのバックエンド)を監視することを意味します/var/log/...-access.log
。を監視するには、刑務所logpath
などの一部のファイル関連バックエンドに切り替えるpyinotify
か、単に指定する必要があります。polling
backend = auto
また、いくつかの包括的な項目のために正規表現がわずかに脆弱であることに注意してください。
最後に重要なこと - 参考failure2ban :: wiki :: ベストプラクティス(寄生ログトラフィックの削減)。