fail2ban gitlab登录尝试

Question

我试图使用fail2ban阻止通过UI进行太多登录尝试的源的IP地址。fail2ban为sshd正常工作，但它没有使用我为gitlab访问日志定制的筛选器。

系统

• ubuntu服务器16.04.4 LTS
• gitlab 10.8.4
• fail2ban 0.9.3

访问日志权限/路径

-rw-r--r-- 1 root root 186726 Jun 21 09:54 /var/log/gitlab/nginx/gitlab_access.log

要禁用的访问日志示例

192.168.1.2 - - [21/Jun/2018:09:52:06 -0400] "POST /users/sign_in HTTP/2.0" 200 4199 "https://example.com:88/users/sign_in" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"

fail2ban配置

/etc/fail2ban/jail.conf

[nginx-gitlab]

enabled  = true
port     = http,https
filter   = nginx-gitlab
logpath  = /var/log/gitlab/nginx/gitlab_access.log
maxretry = 3

fail2ban滤波器

/etc/fail2ban/filter.d/nginx-gitlab.conf

# Fail2Ban configuration file
#
# Author: Deac Karns 
#

[Definition]


failregex = ^<HOST> – -.*”POST /users/sign_in HTTP.*” 200.*$

ignoreregex =

fail2ban-regex测试输出

sudo fail2ban-regex /var/log/gitlab/nginx/gitlab_access.log /etc/fail2ban/filter.d/nginx-gitlab.conf


Running tests
=============

Use   failregex filter file : nginx-gitlab, basedir: /etc/fail2ban
Use         log file : /var/log/gitlab/nginx/gitlab_access.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1147] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1147 lines, 0 ignored, 0 matched, 1147 missed [processed in 0.06 sec] 
Missed line(s): too many to print.  Use --print-all-missed to print all 1147 lines

Answer 1

你的过滤器里有错误的字符。是你手工写的吗？相反，您应该复制和粘贴要匹配的日志，以避免键入类似的字符。

第一个错误字符是连字符.

• 你写了^<HOST> – -
• 但这是预期的^<HOST> - -

另一个错误的字符是双引号，如@丹布莱克的评论.所指出的

• 你写了.*”POST /users/sign_in HTTP.*” 200.*$
• 但这是预期的.*"POST /users/sign_in HTTP.*" 200.*$

最后，让我建议您在筛选器中添加一个关于匹配状态代码200的注释，这似乎是绝对有效的，它的存在可能会变得非常混乱。我们认为状态代码200登录尝试失败是恰当的，因为如果成功，它将是302 (而不是重定向)。

过滤器的固定版本

/etc/fail2ban/filter.d/nginx-gitlab.conf

# Fail2Ban configuration file
#
# Authors: Deac Karns & jirislav
#

[Definition]

# We are considering status code 200 as failed login attempt 
# because if it was successfull, it would be 302
failregex = ^<HOST> - -.*"POST /users/sign_in HTTP.*" 200.*$

ignoreregex =

Answer 2

你的一些角色需要转义。我还用更多的锚对表达式进行了改进，使其更加安全。尝尝这个

failregex = ^<HOST> - - \[.+\] \"POST \/users\/sign_in HTTP\/.+\".*\b\"$

您可以在：regex101.com替换：

^(\d+.\d+.\d+.\d+) - - \[.+\] \"POST \/users\/sign_in HTTP\/.+\".*\b\"$