Question

目前我的网站服务器仅用于我的个人网站，因为重定向的流量超载。我尝试使用fail2ban来减轻负载，但我的正则表达式并不是那么好。

以下是我的访问日志

的示例

142.4.113.210 - - [03/Sep/2014:12:40:39 +0200] "GET http://ads.sonital.com/ttj?id=3139842&size=300x250&cb=[CACHEBUSTER] HTTP/1.0" 404 522 "http://www.seversname.com/?p=1387" "Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.1 Safari/532.0"
184.105.160.169 - - [03/Sep/2014:12:40:39 +0200] "GET http://ads.sonital.com/ttj?id=3397183&size=300x250&cb=[CACHEBUSTER] HTTP/1.0" 404 522 "http://www.ibusinessstatistics.com/?p=1003" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 6.0; 001|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322)"
142.4.118.60 - - [03/Sep/2014:12:40:40 +0200] "GET http://ads.sonital.com/ttj?id=3139831&size=300x250&cb=[CACHEBUSTER] HTTP/1.0" 404 522 "http://www.selceticon.com/?p=892" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 3.5.21022; InfoPath.2)"
142.4.113.215 - - [03/Sep/2014:12:40:40 +0200] "GET http://ads.sonital.com/ttj?id=3139842&size=300x250&cb=[CACHEBUSTER] HTTP/1.0" 404 522 "http://www.seversname.com/?p=1262" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.42; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
192.74.240.178 - - [03/Sep/2014:12:40:40 +0200] "GET http://ads.sonital.com/ttj?id=3342345&size=300x250&cb=[CACHEBUSTER] HTTP/1.0" 404 522 "http://www.ifinanceblog.com/?p=1615" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.6; AOLBuild 4340.12; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

这是我的错误日志

[Wed Sep 03 12:47:59 2014] [error] [client 198.40.51.25] File does not exist: /var/www/ttj, referer: http://www.seversname.com/?p=1309
[Wed Sep 03 12:47:59 2014] [error] [client 192.74.252.17] File does not exist: /var/www/ttj, referer: http://www.caridly.com/?p=1393
[Wed Sep 03 12:47:59 2014] [error] [client 198.40.62.198] File does not exist: /var/www/ttj, referer: http://www.selceticon.com/?p=1281
[Wed Sep 03 12:48:00 2014] [error] [client 198.40.62.237] File does not exist: /var/www/ttj, referer: http://www.selceticon.com/?p=1001
[Wed Sep 03 12:48:00 2014] [error] [client 148.163.24.107] File does not exist: /var/www/tt, referer: http://www.elanceapc.com/?p=1515
[Wed Sep 03 12:48:00 2014] [error] [client 137.175.105.79] File does not exist: /var/www/tt, referer: http://www.elanceapc.com/?p=1522

以下是我的过滤器中的代码，该代码指向错误日志。

before = apache-common.conf
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist: ~*
ignoreregex =

以下是jail.local的代码

[apache-nohome]
enabled   = true
port      = http,https
filter    = apache-nohome
logpath   = /var/log/apache*/*error.log
maxretry  = 1
findtime = 604800
bantime = 604800

任何帮助将不胜感激。

Answer 1

根据DOC，fail2ban有一个很棒的工具：fail2ban-regex

root @ server：/＃fail2ban-regex'Wed Sep 03 12:48:00 2014] [error] [client 148.163.24.107]文件不存在：/ var / www / tt，referer：{{3} }''[错误] [客户端。]。文件不存在：〜*'

Running tests
=============

Use regex line : \[error] \[client.<HOST>\].File does not exist: ~*
Use single line: Wed Sep 03 12:48:00 2014] [error] [client 148.163....


Results
=======

Failregex
|- Regular expressions:
|  [1] \[error] \[client.<HOST>\].File does not exist: ~*
|
`- Number of matches:
   [1] 1 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    148.163.24.107 (Wed Sep 03 12:48:00 2014)

Date template hits:
2 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 1

所以正确的正则表达式是\[error] \[client.<HOST>\].File does not exist: ~*

我之前从未使用过fail2ban ......

Web服务器受重定向流量攻击

1 个答案: