如何为openvpn fail2ban过滤器创建正则表达式
如何为openvpn fail2ban过滤器创建正则表达式
提问于 2018-06-19 22:38:54
有些人想进入我的openvpn服务器。现在,我手动禁止每个I,因为我不知道如何设置fail2ban正则表达式。下面的内容基本上是在我的/var/log/syslog中找到的
Jun 18 19:57:01 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]196.52.43.65:6666
Jun 18 19:57:03 Server ovpn-openvpn_tcp[856]: 196.52.43.65:6666 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 18 19:57:03 Server ovpn-openvpn_tcp[856]: 196.52.43.65:6666 Connection reset, restarting [0]
Jun 18 19:57:03 Server ovpn-openvpn_tcp[856]: 196.52.43.65:6666 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]23.239.65.138:61397
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: 23.239.65.138:61397 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: 23.239.65.138:61397 Connection reset, restarting [0]
Jun 18 20:42:20 Server ovpn-openvpn_tcp[856]: 23.239.65.138:61397 SIGUSR1[soft,connection-reset] received, client-instance restarting我试图按照openvpn的官方fail2ban指南创建一个过滤器,但是我认为它已经过时了,并且在运行一些测试之后不能正确地解析。导游让我做以下几件事:
#Fail2Ban filter for selected OpenVPN rejections
[Definition]
# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]:\d+$
^ :\d+ Connection reset, restarting
^ :\d+ Fatal TLS Error
^ :\d+ TLS Error: TLS handshake failed$
^ :\d+ VERIFY ERROR
^ :\d+ Bad encapsulated packet length
ignoreregex =这在我的jail.local文件中:
[openvpndeny]
enabled = true
port = 443
protocol = tcp
filter = openvpndeny
logpath = /var/log/syslog
maxretry = 3不幸的是,在运行fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/openvpndeny.conf之后,我得到了下面的输出
Running tests
=============
Use failregex filter file : openvpndeny, basedir: /etc/fail2ban
Use log file : /var/log/syslog
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [4608] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 4608 lines, 0 ignored, 0 matched, 4608 missed
[processed in 3.78 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 4608 lines我今天开始学习如何使用正则表达式,因为我已经在堆栈溢出中询问过了,没有人能真正帮助我。我不知道fail2ban是如何定义来获取IP的。我试着用我自己的方式得到I,做一个这样的过滤器:
(\d+\.\d+\.\d+\.\d+:\d+ Connection reset, restarting) --它在https://regex101.com/中工作,但不使用fail2ban。
回答 1
Server Fault用户
发布于 2018-06-20 01:50:44
在学习了更多关于regex的知识之后,我能够为fail2ban创建这样一个过滤器
[Definition]
failregex = :\d+ (Connection reset, restarting|TLS Error: TLS handshake failed|Fatal TLS error|VERIFY ERROR|WARNING: Bad encapsulated packet length)
ignoreregex =页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/917382
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号