我需要點擊 ?page not found? 這樣的日志條目:
185.220.100.252 - - [13/May/2022:10:03:58 0200] "GET /EXPLOIT.php HTTP/1.1" 404 14780 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"
這個失敗正則運算式基本上有效
^<HOST> -\s*- \[.*\] "GET .*" 404 \d "-" ".*"$
并從 30k 個條目中找到 8900 個。我正在測驗
fail2ban-regex /var/log/apache2/scienceblog.at.access.log '^<HOST> -\s*- \[.*\] "GET .*" 404 \d "-" ".*"$'
也是如此
^<HOST> -\s*- \[.*.*\] "GET .*" 404 \d "-" ".*"$
但是,當我嘗試在方括號之間進行具體說明時,例如
^<HOST> -\s*- \[.*\d.*\] "GET .*" 404 \d "-" ".*"$
^<HOST> -\s*- \[.*\s.*\] "GET .*" 404 \d "-" ".*"$
^<HOST> -\s*- \[.* .*\] "GET .*" 404 \d "-" ".*"$
^<HOST> -\s*- \[\d.*\] "GET .*" 404 \d "-" ".*"$
^<HOST> -\s*- \[.*0200\] "GET .*" 404 \d "-" ".*"$
^<HOST> -\s*- \[.* .*\] "GET .*" 404 \d "-" ".*"$
或其他任何東西(更不用說評估整個日期字串的正則運算式)過濾器找不到單個日志條目,我不知道為什么。我已經閱讀了我在這里和其他地方在 fail2ban-regex 上找到的內容,但無濟于事。
uj5u.com熱心網友回復:
failregex 匹配沒有日期的日志檔案條目,因此對于您的示例
185.220.100.252 - - [13/May/2022:10:03:58 0200] "GET /EXPLOIT.php HTTP/1.1" 404 14780 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"
fail2ban 已自行提取日期
13/May/2022:10:03:58 0200
并將其從日志條目中洗掉,因此實際上將您的正則運算式與
185.220.100.252 - - [] "GET /EXPLOIT.php HTTP/1.1" 404 14780 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"
所以對你有用的正則運算式正在作業,因為
\[.*\]兩者\[.*.*\]都匹配[],但其他的只有在括號之間確實有東西的情況下才匹配。
恕我直言,這根本不直觀,因為“錯過的行”的輸出包括日期:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]
|- Missed line(s):
| 185.220.100.252 - - [13/May/2022:10:03:58 0200] "GET /EXPLOIT.php HTTP/1.1" 404 14780 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"
但是您可以驗證是這種情況,因為這將成功匹配:
'^<HOST> -\s*- \[\] "GET .*" 404 \d "-" ".*"$'
進一步閱讀:
https://dee.underscore.world/blog/fail2ban-filters/
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/475189.html
下一篇:正則運算式匹配未包含在宏中的字串