Fel's questions

我正在尝试使用 Python 2.7.9 将 Certbot 从 0.10.2 更新到支持 Debian 9.1 中的 ACME 2 的某个版本。

apt-cache policy certbot
certbot:
  Installed: 0.10.2-1
  Candidate: 0.28.0-1~deb9u2
  Version table:
     0.28.0-1~deb9u2 500
        500 http://deb.debian.org/debian oldstable/main amd64 Packages
        500 http://deb.debian.org/debian oldstable-updates/main amd64 Packages
     0.28.0-1~bpo9+1 100
        100 http://ftp.debian.org/debian stretch-backports/main amd64 Packages
 *** 0.10.2-1 100
        100 /var/lib/dpkg/status

从这里开始，这就是我正在尝试的：

echo "deb http://ftp.debian.org/debian stretch-backports main">>/etc/apt/sources.list
apt-get update
apt-get install python-certbot-nginx -t stretch-backports

/etc/apt/sources.list

deb http://deb.debian.org/debian/ oldstable main contrib non-free
deb-src http://deb.debian.org/debian/ oldstable main contrib non-free

deb http://deb.debian.org/debian/ oldstable-updates main contrib non-free
deb-src http://deb.debian.org/debian/ oldstable-updates main contrib non-free

deb http://deb.debian.org/debian-security oldstable/updates main
deb-src http://deb.debian.org/debian-security oldstable/updates main

deb http://ftp.debian.org/debian stretch-backports main
deb-src http://ftp.debian.org/debian stretch-backports main

||/ Name                                Version                Architecture           Description
+++-===================================-======================-======================-============================================================================
ii  libc6:amd64                         2.24-11+deb9u1         amd64                  GNU C Library: Shared libraries

错误：

apt-get install python-certbot-nginx -t stretch-backports
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 libc-dev-bin : Depends: libc6 (> 2.28) but 2.24-11+deb9u1 is to be installed
                Recommends: manpages-dev but it is not going to be installed
 libc6-dev : Depends: libc6 (= 2.28-10) but 2.24-11+deb9u1 is to be installed
 locales : Depends: libc-bin (> 2.28) but 2.24-11+deb9u1 is to be installed
 python-certbot-nginx : Depends: python3-certbot-nginx but it is not going to be installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).

libc6:
Installed: 2.24-11+deb9u1
  Candidate: 2.24-11+deb9u4
  Version table:
     2.24-11+deb9u4 500
        500 http://deb.debian.org/debian oldstable/main amd64 Packages
 *** 2.24-11+deb9u1 500
        500 http://deb.debian.org/debian-security oldstable/updates/main amd64 Packages
        100 /var/lib/dpkg/status
libc6-dev:
  Installed: 2.28-10
  Candidate: 2.28-10
  Version table:
 *** 2.28-10 100
        100 /var/lib/dpkg/status
     2.24-11+deb9u4 500
        500 http://deb.debian.org/debian oldstable/main amd64 Packages
     2.24-11+deb9u1 500
        500 http://deb.debian.org/debian-security oldstable/updates/main amd64 Packages
locales:
  Installed: 2.28-10
  Candidate: 2.28-10
  Version table:
 *** 2.28-10 100
        100 /var/lib/dpkg/status
     2.24-11+deb9u4 500
        500 http://deb.debian.org/debian oldstable/main amd64 Packages
     2.24-11+deb9u1 500
        500 http://deb.debian.org/debian-security oldstable/updates/main amd64 Packages
libc-dev-bin:
  Installed: 2.28-10
  Candidate: 2.28-10
  Version table:
 *** 2.28-10 100
        100 /var/lib/dpkg/status
     2.24-11+deb9u4 500
        500 http://deb.debian.org/debian oldstable/main amd64 Packages
     2.24-11+deb9u1 500
        500 http://deb.debian.org/debian-security oldstable/updates/main amd64 Packages

任何想法？这是一个生产服务器。

编辑：

所以显然我已经在 Debian 9 中安装了一些来自 Debian 10 的软件包。因为我不能用 apt 做任何事情，所以我试图用 aptitude 解决依赖关系。

(venv)root@deb64:/home/x/# aptitude -V -s install libc6-dev=2.24-11+deb9u4
The following packages will be DOWNGRADED:
  libc6-dev{b} [2.28-10 -> 2.24-11+deb9u4]
The following packages will be REMOVED:
  libc-dev-bin{u} [2.28-10]
The following packages will be upgraded:
  libc6 [2.24-11+deb9u1 -> 2.24-11+deb9u4]  linux-libc-dev [4.9.30-2+deb9u5 -> 4.9.210-1]
The following partially installed packages will be configured:
  libc-l10n  locales{b}  man-db
2 packages upgraded, 0 newly installed, 1 downgraded, 1 to remove and 235 not upgraded.
Need to get 6,539 kB of archives. After unpacking 3,561 kB will be freed.
The following packages have unmet dependencies:
 libc6-dev : Depends: libc-dev-bin (= 2.24-11+deb9u4) but it is not going to be installed
 locales : Depends: libc-bin (> 2.28) but 2.24-11+deb9u1 is installed and it is kept back
The following actions will resolve these dependencies:

     Remove the following packages:
1)     locales [2.28-10 (now)]
2)     task-english [3.39 (now, oldstable)]

     Install the following packages:
3)     locales-all [2.24-11+deb9u4 (oldstable)]

     Upgrade the following packages:
4)     postgresql-9.4 [9.4.13-0+deb8u1 (now) -> 9.4.26-2.pgdg90+1 (stretch-pgdg)]
5)     postgresql-9.6 [9.6.4-0+deb9u1 (now) -> 9.6.18-1.pgdg90+1 (stretch-pgdg)]
6)     postgresql-contrib-9.4 [9.4.13-0+deb8u1 (now) -> 9.4.26-2.pgdg90+1 (stretch-pgdg)]
7)     postgresql-contrib-9.6 [9.6.4-0+deb9u1 (now) -> 9.6.18-1.pgdg90+1 (stretch-pgdg)]

     Downgrade the following packages:
8)     libc-dev-bin [2.28-10 (now) -> 2.24-11+deb9u4 (oldstable)]

Accept this solution? [Y/n/q/?] q

如果我接受此解决方案，系统是否安全？

ii  libc6:amd64                       2.24-11+deb9u1                 amd64        GNU C Library: Shared libraries
iU  libc6-dev:amd64                   2.28-10                        amd64        GNU C Library: Development Libraries and Header Files

我有一个定期运行的事件源。问题是，http-get-dos如果用户长时间打开选项卡，fail2ban 将捕获 IP。

所以，我在想，如何在 ningx 中禁用这种类型的特定登录？另一种方法是将fail2ban 配置为忽略此模式。

"GET /users/stream HTTP/2.0"

我愿意在 nginx 或 fail2ban 中实现。

可能相应地更改此行 /etc/fail2ban/filter.d/http-get-dos.conf 是最直接的方法：

failregex = ^<HOST> -.*"(GET|POST).*

更新（/etc/fail2ban/filter.d/http-get-dos.conf）：

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =

##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath  = /usr/local/nginx/localhost-access.log
maxretry = 300
findtime = 300
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

第一次尝试：显然不能使用下面的正则表达式：

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^.+?:\d+ <HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 22431 total
|-  #) [# of hits] regular expression
|   1) [22431] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 0 total

第二次尝试：但可以使用^<HOST> -.*"(GET) /users/stream.*$

fail2ban-regex /usr/local/nginx/localhost-access.log '^<HOST> -.*"(GET|POST).*' '^<HOST> -.*"(GET) /users/stream.*$'

Running tests
=============

Use   failregex line : ^<HOST> -.*"(GET|POST).*
Use ignoreregex line : ^<HOST> -.*"(GET) /users/stream.*$
Use         log file : /usr/local/nginx/localhost-access.log
Use         encoding : UTF-8


Results
=======

Failregex: 1574 total
|-  #) [# of hits] regular expression
|   1) [1574] ^<HOST> -.*"(GET|POST).*
`-

Ignoreregex: 22093 total
|-  #) [# of hits] regular expression
|   1) [22093] ^<HOST> -.*"(GET) /users/stream.*$
`-