我每天都会收到大量看起来相似的 sql 注入尝试。访问日志的片段显示:
8222 24.247.182.172 - - [09/Nov/2018:08:47:25 -0600] ***************.com "GET /Add_Product.php?strPhotoID=VA1209&price_selected=2+union+select+0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526--&page_id=912 HTTP/1.1" 302 0 "https://www.***************.com/Add_Product.php?strPhotoID=VA1209&price_selected=2+union+select+0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526--&page_id=912" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "-"
这是 jail.local 中的配置:
[sql-union-select-attack]
enabled = true
filter = sql-union-select-attack
logpath = /var/log/nginx/*access.log
port = 8221,8222,8231,8232
maxretry = 1
findtime = 10
bantime = -1
action = iptables-allports[name=sqlUnionSelect]
这是过滤器(sql-union-select-attack.conf):
#The SQL Injection attempt with "union+select+" in the URL
[Definition]
failregex = ^\d{4} <HOST> -.*\"(GET|POST).*/Add_Product.php.*union
然而我在这里,没有得到任何禁令,如图所示
fail2ban-client status sql-union-select-attack
root@web4:/etc/fail2ban# fail2ban-client status sql-union-select-attack
Status for the jail: sql-union-select-attack
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/**************.access.log /var/log/nginx/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
这里发生了什么?我的 jail.local 配置有问题吗?
编辑
感谢迈克尔汉普顿的回答,它现在似乎正在工作。我有一个 bash 脚本,可以让我选择一个监狱来获取状态:
root@web4:/etc/fail2ban# get_jail_status
http-get-dos
http-post-dos
magento-url
megaindex-crawler-spam
nginx-499
nginx-aspx-url
sql-directory-attempt
sql-union-select-attack
sshd
Please enter the jail you would like to check:
sql-union-select-attack
Status for the jail: sql-union-select-attack
|- Filter
| |- Currently failed: 0
| |- Total failed: 2
| `- File list: /var/log/nginx/**************.access.log /var/log/nginx/access.log
`- Actions
|- Currently banned: 5
|- Total banned: 5
`- Banned IP list: 142.163.212.50 217.61.108.219 37.59.8.29 207.228.228.8 162.144.126.204
如果我选择其中一个 IP 地址并在 iptables 中检查它,它会出现:
root@web4:/etc/fail2ban# iptables -L -v -n | grep 142.163.212.50
0 0 REJECT all -- * * 142.163.212.50 0.0.0.0/0 reject-with icmp-port-unreachable
所以它似乎正在工作!
Fail2ban 需要安装 pyinotify 才能读取日志文件,而不是通过 systemd 日志。如果未安装,则应安装或重新安装。例如:
之后,重新启动 fail2ban 并等待几分钟,让它浏览现有的日志文件。
(从技术上讲,它也可以使用 gamin,但从历史上看,这并不是很可靠......)