目录
一、问题描述
我们服务器的 auth.log 最近出现很多下面类似的内容:
Oct 28 09:35:11 hostname sshd[20316]: Address 206.189.145.254 maps to buycost.io, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
我想用fail2ban进行处理,该如何操作呢?
下面是我的操作步骤,供大家参考。
二、操作步骤
1、写正则
日志:
Oct 28 09:35:11 hostname sshd[20316]: Address 206.189.145.254 maps to buycost.io, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
正则:
^%(__prefix_line)sAddress <HOST> maps to \S+, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\s*$
解释:
正则 | 日志 |
^ | 开头 |
^%(__prefix_line)s | Oct 28 09:35:11 hostname sshd[20316]: |
Address | Address |
<HOST> | 206.189.145.254 |
maps to | maps to |
\S+, | buycost.io, |
but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\s* | but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! |
$ | 结尾 |
2、添加正则
因为是 auth.log ,所以我是在
/etc/fail2ban/filter.d/sshd.conf
添加正则。
3、测试正则
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
下面是正则出错时结果展示:
因为“[]”需要转义,如果不转义,就会出错,就有下面的结果
下面是正则正确时结果展示:
4、重启fail2ban,让新配置生效
sudo service fail2ban restart
我是程序员娟娟,
致力将工作中遇到的问题和解决方案记录下来,
分享给更多需要的同行。
如果对你有帮助,不妨点个关注吧!