Comments (5)
@jiangtao69039 我没用过ssr, 不清楚他的日志格式是什么样子, 你需要粗略了解下正则表达式的概念, 然后照猫画虎按照我这里写的
https://blog.ferstar.org/post/ubuntu-18.04-set-up-shadowsocks-server-with-fail2ban
sudo tee /etc/fail2ban/filter.d/shadowsocks-libev.conf > /dev/null <<EOF
[INCLUDES]
before = common.conf
[Definition]
_daemon = ss-server
failregex = ^\w+\s+\d+ \d+:\d+:\d+\s+%(__prefix_line)sERROR:\s+failed to handshake with <HOST>: authentication error$
ignoreregex =
datepattern = %%Y-%%m-%%d %%H:%%M:%%S
EOF
关键就是这句failregex=***
, 你需要在ssr
的日志里找到鉴权失败,也就是恶意扫描的情形, 写出正则表达式, 放到这个参数下, 其他都可以不用改, 直接用我的配置就可以
对于ss-libev, 他的一个认证失败的log长这样:
Aug 15 08:59:07 <hostname> ss-server[1382]: 2018-08-15 08:59:07 ERROR: failed to handshake with <HOST>: authentication error
我的正则^\w+\s+\d+ \d+:\d+:\d+\s+%(__prefix_line)sERROR:\s+failed to handshake with <HOST>: authentication error$
可以匹配, 就触发了fail2ban
的过滤条件, 这个ip就会被ban掉
from blog.
类似这种错误怎么匹配
2019-08-20 00:30:59 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data 474554202f20485454502f312e300d0a4163636570743a20746578742f68746d6c0d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284c696e75783b20553b20416e64726f696420342e342e323b20656e2d75733b205343482d49353335204275696c642f4b4f5434394829204170706c655765624b69742f3533342e333020284b48544d4c2c206c696b65204765636b6f292056657273696f6e2f342e30204d6f62696c65205361666172692f3533342e33300d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a from ::ffff:103.59.156.16:43577 via port 80 by UID 80
from blog.
@FenghenHome
failregex改成如下内容即可
^\d{4}-\d{2}-\d{2}.*?Protocol ERROR.*?::f{4}:<HOST>:\d+ via.*$
即:
failregex = ^\d{4}-\d{2}-\d{2}.*?Protocol ERROR.*?::f{4}:<HOST>:\d+ via.*$
from blog.
谢谢,有没有一条规则能匹配下面两条
2019-08-20 00:30:59 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data 474554202f20485454502f312e300d0a4163636570743a20746578742f68746d6c0d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284c696e75783b20553b20416e64726f696420342e342e323b20656e2d75733b205343482d49353335204275696c642f4b4f5434394829204170706c655765624b69742f3533342e333020284b48544d4c2c206c696b65204765636b6f292056657273696f6e2f342e30204d6f62696c65205361666172692f3533342e33300d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a from ::ffff:103.59.156.16:43577 via port 80 by UID 80
2017-10-14 01:34:02 WARNING udprelay.py:316 Protocol ERROR, UDP ogn data 85f0405f4de23250e9537f08c1f19eb4796ced1e8777ce3874cb2765d35e9f5494426fb6955388c93b3442b2be8c94877d5d from ::ffff:211.97.129.143:44433
from blog.
@FenghenHome 可以有, 这样的正则很好写
^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
测试命中情况:
第一条
fail2ban-regex "2019-08-20 00:30:59 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data 474554202f20485454502f312e300d0a4163636570743a20746578742f68746d6c0d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284c696e75783b20553b20416e64726f696420342e342e323b20656e2d75733b205343482d49353335204275696c642f4b4f5434394829204170706c655765624b69742f3533342e333020284b48544d4c2c206c696b65204765636b6f292056657273696f6e2f342e30204d6f62696c65205361666172692f3533342e33300d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a from ::ffff:103.59.156.16:43577 via port 80 by UID 80" "^.*Protocol ERROR.*?::f{4}:<HOST>:.*$"
Running tests
=============
Use failregex line : ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
Use single line : 2019-08-20 00:30:59 WARNING tcprelay.py:521 Protoc...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]
第二条
fail2ban-regex "2017-10-14 01:34:02 WARNING udprelay.py:316 Protocol ERROR, UDP ogn data 85f0405f4de23250e9537f08c1f19eb4796ced1e8777ce3874cb2765d35e9f5494426fb6955388c93b3442b2be8c94877d5d from ::ffff:211.97.129.143:44433" "^.*Protocol ERROR.*?::f{4}:<HOST>:.*$"
Running tests
=============
Use failregex line : ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
Use single line : 2017-10-14 01:34:02 WARNING udprelay.py:316 Protoc...
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]
from blog.
Related Issues (20)
- Cloudflare Argo Tunnels+Brook 一种非主流的科学上网姿势 HOT 1
- 吹一波vxTrans服务
- 薅大厂羊毛之改善MatterMost安卓客户端的消息推送
- 一个简单计算PDF页数的方法
- 不死小强——timeshift+btrfs-grub
- Fcitx不停往xxxtmp.log写入日志的治标方法
- 利用msgspec加速大json文件反序列化速度
- 利用memray重构项目,提升内存利用效率
- 指定第三方工具加速下载AUR包
- 黑苹果显示电池建议维修的一个解决方法
- 再说点梯子的事情
- Ubuntu升级openssl到3.x以后旧应用的处理
- 更换Manjaro默认坑爹的grub
- Ubuntu安装第三方内核后如何使用linux-common-tools
- AX3600 ShellClash 替换 clash-meta 核心
- gRPC小记
- Do not use Super in comprehension if you need cython
- Linux触控板手势增强之「三指拖拽」
- Upgrading PostgreSQL from v14 to v15
- 记一次莫名的BTRFS修复过程
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from blog.