主页 / server / 问题 / 942682
Accepted
Fel
Asked: 2018-12-04 07:55:27 +0800 CST

如何忽略事件源日志

  • 772

我有一个定期运行的事件源。问题是,http-get-dos如果用户长时间打开选项卡,fail2ban 将捕获 IP。

所以,我在想,如何在 ningx 中禁用这种类型的特定登录?另一种方法是将fail2ban 配置为忽略此模式。

"GET /users/stream HTTP/2.0"

我愿意在 nginx 或 fail2ban 中实现。

可能相应地更改此行 /etc/fail2ban/filter.d/http-get-dos.conf 是最直接的方法:

failregex = ^<HOST> -.*"(GET|POST).*

更新(/etc/fail2ban/filter.d/http-get-dos.conf):

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =

##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath  = /usr/local/nginx/localhost-access.log
maxretry = 300
findtime = 300
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

第一次尝试:显然不能使用下面的正则表达式:

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 22431 total
|-  #) [# of hits] regular expression
|   1) [22431] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 0 total

第二次尝试:但可以使用^<HOST> -.*"(GET) /users/stream.*$

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^<HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^<HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 1574 total
|-  #) [# of hits] regular expression
|   1) [1574] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 22093 total
|-  #) [# of hits] regular expression
|   1) [22093] ^<HOST> -.*"(GET) /users/stream.*$
`-
nginx

1 个回答

  1. Best Answer

    你在正确的轨道上使用

    ignoreregex =

    在你的指令

    /etc/fail2ban/filter.d/http-get-dos.conf

    配置文件。这应该只是调整正则表达式的问题。像这样的东西:

    ^<HOST> -.*"(GET) /users/stream.*$

    它匹配您的日志文件行,然后匹配任何 GET,并且仅匹配具有 /users/stream 前缀的请求以及附加到它的任何字符串的 GET。

    • 2

相关问题