Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

请问fail2ban来保护ssr怎么配置日志规则? #1

Closed
jiangtao69039 opened this issue Mar 1, 2019 · 5 comments
Closed

请问fail2ban来保护ssr怎么配置日志规则? #1

jiangtao69039 opened this issue Mar 1, 2019 · 5 comments

Comments

@jiangtao69039
Copy link

filter.d中应该怎么写呀
@ferstar
Copy link
Owner

ferstar commented Jun 11, 2019
edited

@jiangtao69039 我没用过ssr, 不清楚他的日志格式是什么样子, 你需要粗略了解下正则表达式的概念, 然后照猫画虎按照我这里写的
https://blog.ferstar.org/post/ubuntu-18.04-set-up-shadowsocks-server-with-fail2ban

sudo tee /etc/fail2ban/filter.d/shadowsocks-libev.conf > /dev/null <<EOF
[INCLUDES]
before = common.conf

[Definition]
_daemon = ss-server

failregex = ^\w+\s+\d+ \d+:\d+:\d+\s+%(__prefix_line)sERROR:\s+failed to handshake with <HOST>: authentication error$

ignoreregex =

datepattern = %%Y-%%m-%%d %%H:%%M:%%S
EOF

关键就是这句failregex=***, 你需要在ssr的日志里找到鉴权失败,也就是恶意扫描的情形, 写出正则表达式, 放到这个参数下, 其他都可以不用改, 直接用我的配置就可以

对于ss-libev, 他的一个认证失败的log长这样:
Aug 15 08:59:07 <hostname> ss-server[1382]: 2018-08-15 08:59:07 ERROR: failed to handshake with <HOST>: authentication error
我的正则^\w+\s+\d+ \d+:\d+:\d+\s+%(__prefix_line)sERROR:\s+failed to handshake with <HOST>: authentication error$可以匹配, 就触发了fail2ban的过滤条件, 这个ip就会被ban掉

@FenghenHome
Copy link

类似这种错误怎么匹配
2019-08-20 00:30:59 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data 474554202f20485454502f312e300d0a4163636570743a20746578742f68746d6c0d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284c696e75783b20553b20416e64726f696420342e342e323b20656e2d75733b205343482d49353335204275696c642f4b4f5434394829204170706c655765624b69742f3533342e333020284b48544d4c2c206c696b65204765636b6f292056657273696f6e2f342e30204d6f62696c65205361666172692f3533342e33300d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a from ::ffff:103.59.156.16:43577 via port 80 by UID 80

@ferstar
Copy link
Owner

ferstar commented Aug 31, 2019

@FenghenHome
failregex改成如下内容即可
^\d{4}-\d{2}-\d{2}.*?Protocol ERROR.*?::f{4}:<HOST>:\d+ via.*$

即:

failregex = ^\d{4}-\d{2}-\d{2}.*?Protocol ERROR.*?::f{4}:<HOST>:\d+ via.*$

@FenghenHome
Copy link

FenghenHome commented Aug 31, 2019
edited

谢谢,有没有一条规则能匹配下面两条

2019-08-20 00:30:59 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data 474554202f20485454502f312e300d0a4163636570743a20746578742f68746d6c0d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284c696e75783b20553b20416e64726f696420342e342e323b20656e2d75733b205343482d49353335204275696c642f4b4f5434394829204170706c655765624b69742f3533342e333020284b48544d4c2c206c696b65204765636b6f292056657273696f6e2f342e30204d6f62696c65205361666172692f3533342e33300d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a from ::ffff:103.59.156.16:43577 via port 80 by UID 80

2017-10-14 01:34:02 WARNING udprelay.py:316 Protocol ERROR, UDP ogn data 85f0405f4de23250e9537f08c1f19eb4796ced1e8777ce3874cb2765d35e9f5494426fb6955388c93b3442b2be8c94877d5d from ::ffff:211.97.129.143:44433

@ferstar
Copy link
Owner

ferstar commented Sep 2, 2019
edited

@FenghenHome 可以有, 这样的正则很好写
^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
测试命中情况:
第一条

fail2ban-regex "2019-08-20 00:30:59 WARNING tcprelay.py:521 Protocol ERROR, TCP ogn data 474554202f20485454502f312e300d0a4163636570743a20746578742f68746d6c0d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284c696e75783b20553b20416e64726f696420342e342e323b20656e2d75733b205343482d49353335204275696c642f4b4f5434394829204170706c655765624b69742f3533342e333020284b48544d4c2c206c696b65204765636b6f292056657273696f6e2f342e30204d6f62696c65205361666172692f3533342e33300d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a from ::ffff:103.59.156.16:43577 via port 80 by UID 80" "^.*Protocol ERROR.*?::f{4}:<HOST>:.*$"

Running tests
=============

Use   failregex line : ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
Use      single line : 2019-08-20 00:30:59 WARNING tcprelay.py:521 Protoc...


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]

第二条

fail2ban-regex "2017-10-14 01:34:02 WARNING udprelay.py:316 Protocol ERROR, UDP ogn data 85f0405f4de23250e9537f08c1f19eb4796ced1e8777ce3874cb2765d35e9f5494426fb6955388c93b3442b2be8c94877d5d from ::ffff:211.97.129.143:44433" "^.*Protocol ERROR.*?::f{4}:<HOST>:.*$"

Running tests
=============

Use   failregex line : ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
Use      single line : 2017-10-14 01:34:02 WARNING udprelay.py:316 Protoc...


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^.*Protocol ERROR.*?::f{4}:<HOST>:.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.00 sec]

@ferstar ferstar added the comment label Jan 1, 2020
@ferstar ferstar closed this as completed Jul 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ferstar @FenghenHome @jiangtao69039