Estou tendo problemas para entender como criar um regex para capturar tentativas de investigação em meu servidor nginx.
Eu gostaria de criar um filtro para capturar sites que acessam determinados arquivos (por nome) e/ou por erro de php.
Meu exemplo de arquivo de log está abaixo:
2023/11/04 14:40:26 [error] 1341#1341: *46805 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 194.113.235.169, server: www.server.org, request: "GET /index2.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9999", host: "www.server.org", referrer: "https://www.server.org/index2.php"
Eu estava brincando com um construtor de regex e descobri a string abaixo:
\bPrimary|\bscript|\bunknown
O que corresponderia à frase.
Como faço para construir isso em um filtro fail2ban?
O Logwatch também me envia um bom resumo dos erros, que eu gostaria de poder começar a adicionar seletivamente aos filtros.
Requests with error response codes
400 Bad Request
null: 60 Time(s)
\xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x ... x09\xC0\x14\xC0: 11 Time(s)
*: 7 Time(s)
/: 6 Time(s)
google.com:443: 2 Time(s)
$\x11\xA2\x8D*^\xB5\xBB\x1D: 1 Time(s)
)Dxx\x1D'\xB7\x00\x00: 1 Time(s)
,c(\x0B\xF1: 1 Time(s)
/.env: 1 Time(s)
/api/v4/cloud/subscription/self-serve-status: 1 Time(s)
/basic_status: 1 Time(s)
/manager/html: 1 Time(s)
/manager/text/list: 1 Time(s)
/nginx_status: 1 Time(s)
/nginx_stub: 1 Time(s)
/private/api/v1/service/premaster: 1 Time(s)
/status: 1 Time(s)
/stub_status: 1 Time(s)
4\xE8%\x98w4\x0Bcry\xAA%\x82r\x0B&\x8B\x9D: 1 Time(s)
LM: 1 Time(s)
\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x ... x00\x00\x00\x00: 1 Time(s)
\x11\x97e\xDC\x0CD\xBA\xDFS\x00\x00*\xC0+\ ... xA8\xCC\xAA\xC0: 1 Time(s)
\xC0((+\x9B<8\xFA: 1 Time(s)
`\x0B!\xCE,\xD5}L7/nh&\x08+\xAB\xCA: 1 Time(s)
mstshash=Administr: 1 Time(s)
404 Not Found
/wp-content/plugins/WordPressCore/include.php: 7 Time(s)
/wp-content/plugins/core-plugin/include.php: 4 Time(s)
/wp-content/plugins/include.php: 4 Time(s)
/wp-content/themes/include.php: 4 Time(s)
/wp-includes/images/include.php: 4 Time(s)
/wp-includes/widgets/include.php: 4 Time(s)
/%25: 3 Time(s)
//wp-content/plugins/seoplugins/mar.php: 3 Time(s)
//wp-content/themes/seotheme/db.php?u: 3 Time(s)
//wp-content/themes/seotheme/mar.php: 3 Time(s)
/?author=2: 3 Time(s)
/admin/plugins/plupload/examples/upload.php: 3 Time(s)
/api/v4/emoji/name/%F0%9F%98%86: 3 Time(s)
/wp-content/themes/sketch/404.php: 3 Time(s)
/wp-login.php: 3 Time(s)
/.index.php: 2 Time(s)
/99vt: 2 Time(s)
/Res/login.html: 2 Time(s)
/aaaaaaaaaaaaaaaaaaaaaaaaaqr: 2 Time(s)
/actuator/gateway/routes: 2 Time(s)
/backup/: 2 Time(s)
/blog/: 2 Time(s)
/new/: 2 Time(s)
/old/: 2 Time(s)
/owa/auth/x.js: 2 Time(s)
/sitemap: 2 Time(s)
/sitemap.txt: 2 Time(s)
/sitemap.xml: 2 Time(s)
/style.php?sig=update&domain=51.79.124.111: 2 Time(s)
/temp/: 2 Time(s)
/test/: 2 Time(s)
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php: 2 Time(s)
/webui/: 2 Time(s)
/wordpress/: 2 Time(s)
/wp-content/plugins/drag-and-drop-multiple ... -upload-cf7.css: 2 Time(s)
/wp-content/plugins/wp-meta-and-date-remov ... js/inspector.js: 2 Time(s)
/wp-content/themes/seotheme/db.php?u: 2 Time(s)
/wp/: 2 Time(s)
/.git/config: 1 Time(s)
/.well-known/: 1 Time(s)
/.well-knownold/: 1 Time(s)
//wp-content/plugins/WordPressCore/include.php: 1 Time(s)
//wp-content/plugins/fix/up.php: 1 Time(s)
/99vu: 1 Time(s)
/?author=3: 1 Time(s)
/?author=4: 1 Time(s)
/ACio: 1 Time(s)
/KjDKeIsQhh.php: 1 Time(s)
/Login.jsp: 1 Time(s)
/Telerik.Web.UI.WebResource.axd?type=rau: 1 Time(s)
/ab2g: 1 Time(s)
/ab2h: 1 Time(s)
/actuator/health: 1 Time(s)
/admin/: 1 Time(s)
/admin/ckeditor/kcfinder/upload.php: 1 Time(s)
/admin/events/lib/external/responsive_file ... ager/dialog.php: 1 Time(s)
/admin/filemanager/dialog.php: 1 Time(s)
/admin/js/kcfinder/upload.php: 1 Time(s)
/admin/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/ads.txt: 1 Time(s)
/api/session/properties: 1 Time(s)
/app/rest/users/id:1/tokens/RPC2: 1 Time(s)
/assets/elfinder/elfinder.html: 1 Time(s)
/assets/filemanager/dialog.php: 1 Time(s)
/assets/js/kcfinder/upload.php: 1 Time(s)
/assets/plugins/elfinder/elfinder.html: 1 Time(s)
/assets/plugins/kcfinder/upload.php: 1 Time(s)
/assets/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/assets/scripts/filemanager/dialog.php: 1 Time(s)
/autodiscover/autodiscover.json?@zdi/Powershell: 1 Time(s)
/autodiscover/autodiscover.json?a..foo.var ... ol=%50owershell: 1 Time(s)
/backup: 1 Time(s)
/basic_status: 1 Time(s)
/bc: 1 Time(s)
/bk: 1 Time(s)
/cf_scripts/scripts/ajax/ckeditor/ckeditor.js: 1 Time(s)
/cgi-bin/authLogin.cgi: 1 Time(s)
/cgi-bin/config.exp: 1 Time(s)
/cgi-bin/vitogate.cgi: 1 Time(s)
/cm3Z: 1 Time(s)
/cms/tinymce/filemanager/filemanager/dialog.php: 1 Time(s)
/cms/vendor/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/config.json: 1 Time(s)
/dview8/api/usersByLevel: 1 Time(s)
/editor/filemanager/dialog.php: 1 Time(s)
/favicon-32x32.png: 1 Time(s)
/file-manager/: 1 Time(s)
/file-manager/backend/makefile: 1 Time(s)
/file-manager/backend/permissions: 1 Time(s)
/file-manager/backend/text: 1 Time(s)
/geoserver/web/: 1 Time(s)
/graph_view.php?action=tree_content&node=1 ... %2810%29%3B--+-: 1 Time(s)
/hejwjpam.php?Fox=d3wL7: 1 Time(s)
/home: 1 Time(s)
/humans.txt: 1 Time(s)
/index.php: 1 Time(s)
/index2.php: 1 Time(s)
/info.php: 1 Time(s)
/js/fileManager/filemanager/dialog.php: 1 Time(s)
/js/kcfinder/upload.php: 1 Time(s)
/js/tinymce4/plugins/filemanager/dialog.php: 1 Time(s)
/lib/filemanager/dialog.php: 1 Time(s)
/main: 1 Time(s)
/media/filemanager/dialog.php: 1 Time(s)
/new: 1 Time(s)
/nginx_status: 1 Time(s)
/nginx_stub: 1 Time(s)
/old: 1 Time(s)
/owa/: 1 Time(s)
/owa/auth.owa: 1 Time(s)
/plugins/content/apismtp/apismtp.php?test=hello: 1 Time(s)
/plugins/kcfinder/upload.php: 1 Time(s)
/plugins/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/po-admin/filemanager/dialog.php: 1 Time(s)
/po-content/filemanager/dialog.php: 1 Time(s)
/public/filemanager/dialog.php: 1 Time(s)
/public/js/libraries/filemanager/dialog.php: 1 Time(s)
/public/scripts/filemanager/dialog.php: 1 Time(s)
/remote/login: 1 Time(s)
/resources/plugins/tiny_mce/plugins/filemanager/dialog.php: 1 Time(s)
/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/server-status: 1 Time(s)
/showLogin.cc: 1 Time(s)
/solr/: 1 Time(s)
/static/historypage.js: 1 Time(s)
/sugar_version.json: 1 Time(s)
/t4: 1 Time(s)
/telescope/requests: 1 Time(s)
/tinymce/filemanager/dialog.php: 1 Time(s)
/tutor/filter?searched_word&searched_tutio ... ed_duration[]=0: 1 Time(s)
/vendor/phpunit/phpunit/phpunit.xml: 1 Time(s)
/version: 1 Time(s)
/webfig/: 1 Time(s)
/wordpress: 1 Time(s)
/wp: 1 Time(s)
/wp-admin/: 1 Time(s)
/wp-admin/css/colors/blue/blue.php?wall=ZW ... EJvdCI7Pz4nKTs=: 1 Time(s)
/wp-config._1: 1 Time(s)
/wp-config._2: 1 Time(s)
/wp-config._backup: 1 Time(s)
/wp-config.back: 1 Time(s)
/wp-config.php__: 1 Time(s)
/wp-config.php______: 1 Time(s)
/wp-config.php__olds: 1 Time(s)
/wp-config.php_backup: 1 Time(s)
/wp-config.php_old2003: 1 Time(s)
/wp-config.php_old2004: 1 Time(s)
/wp-config.php_old2005: 1 Time(s)
/wp-config.php_old2007: 1 Time(s)
/wp-config.php_old2009: 1 Time(s)
/wp-config.php_old2010: 1 Time(s)
/wp-config.php_old2011: 1 Time(s)
/wp-config.php_old2016: 1 Time(s)
/wp-config.php_old2018: 1 Time(s)
/wp-config.php_old2019: 1 Time(s)
/wp-config.php_old2020: 1 Time(s)
/wp-config.php_old2022: 1 Time(s)
/wp-config.php_old2023: 1 Time(s)
/wp-config.php_original: 1 Time(s)
/wp-config.phpc: 1 Time(s)
/wp-config.phpd: 1 Time(s)
/wp-config.phpn: 1 Time(s)
/wp-config.phpnew: 1 Time(s)
/wp-config.phpold: 1 Time(s)
/wp-config.phps: 1 Time(s)
/wp-config.php~1: 1 Time(s)
/wp-config.php~bk: 1 Time(s)
/wp-config.prod: 1 Time(s)
/wp-config.prod.php.txt: 1 Time(s)
/wp-config.production: 1 Time(s)
/wp-config.rej: 1 Time(s)
/wp-config.sav: 1 Time(s)
/wp-config.save: 1 Time(s)
/wp-config.save.1: 1 Time(s)
/wp-config.save.2: 1 Time(s)
/wp-config.stage: 1 Time(s)
/wp-config.sublime-project: 1 Time(s)
/wp-config.swn: 1 Time(s)
/wp-config.swo: 1 Time(s)
/wp-config.tar: 1 Time(s)
/wp-config.temp: 1 Time(s)
/wp-config.templ: 1 Time(s)
/wp-config.tmp: 1 Time(s)
/wp-config.uk: 1 Time(s)
/wp-config.un~: 1 Time(s)
/wp-config.us: 1 Time(s)
/wp-config.vb: 1 Time(s)
/wp-config.vbproj: 1 Time(s)
/wp-config.wp-config.php.swo: 1 Time(s)
/wp-config_good: 1 Time(s)
/wp-content/: 1 Time(s)
/wp-content/plugins/apikey/apikey.php?test=hello: 1 Time(s)
/wp-content/plugins/media-library-assistan ... ite/patrowl.svg: 1 Time(s)
/wp-content/plugins/media-library-assistant/readme.txt: 1 Time(s)
/wp-content/plugins/wordpresscore/include.php: 1 Time(s)
/wp-content/plugins/wp-stats-manager/includes/: 1 Time(s)
/wp-content/plugins/wp-stats-manager/languages/: 1 Time(s)
/wp-content/plugins/wp-stats-manager/notifications.php: 1 Time(s)
/wp-content/themes/themify-ultra/style.css: 1 Time(s)
/wp-content/themes/twentytwentythree/index.php: 1 Time(s)
/wp-content/upgrade/: 1 Time(s)
/wp-content/upgrade/upfile.php: 1 Time(s)
/wp-content/uploads/: 1 Time(s)
/wp-includes/: 1 Time(s)
/wp-includes/autoload_classmap.php: 1 Time(s)
/wp-json/wp/v2/users/2: 1 Time(s)
/wp-json/wp/v2/users/4: 1 Time(s)
/wp-json/wp/v2/users/5: 1 Time(s)
/wp-plain.php: 1 Time(s)
exemplo de entrada de log para erro:
31.208.250.224 - - [04/Nov/2023:20:44:57 -0400] "GET /wp-config._backup HTTP/1.1" 404 5056 "https://www.server.blog//wp-config._backup" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Para resumir:
- Gostaria de obter ajuda para criar um filtro que capture "script primário desconhecido"
- Gostaria de obter ajuda para fazer um filtro que capture os erros 404 investigando o servidor, começando com wp-config, e para adicionar/expandir a lista à medida que ela cresce (por exemplo, arquivos .env)
- Existe uma boa referência sobre como aprender a magia negra regex? Eu olhei em vários sites e não estou entendendo toda a magia.
Eu apreciaria qualquer ajuda sobre isso. Obrigado.
O padrão acima para regex encontrará as entradas incorretas. No entanto, parece não encontrá-lo em uma parte da mensagem de log, pelo menos de acordo com o testador de regex.