μΌλ° μ 보:
λ°°ν¬: μ°λΆν¬ 18.04
νμΌν¬λ°΄ v0.10.2
_ν΄λΉλλ μμλ₯Ό μμ±νκ³ μ ννμμμ€( [x]
). Fail2Ban λ²μ μ΄ μ€λλ κ²½μ°
μ΅μ 릴리μ€μμ λ¬Έμ κ° μ§μλλμ§ νμΈν μ μμΌλ―λ‘ μ§μμ μμ²νλ κ²μ΄ μ’μ΅λλ€.
Fail2Banμ μ»μ λ°°ν¬νμμ_
μΉμ νλ μΈλΈλ₯΄ μ¬λ¬λΆ,
μ§λ 3μΌ λμ μ μ€ν¬λ¦½ν
μ λν΄ λ§μ΄ λ°°μ μ΅λλ€ :)
κ·Έλ¬λ μ κ·μ ꡬ문μ μ λ§ μ΄μν κ²μ
λλ€. λλ κ·Έκ²μ΄ μ΄λ»κ² μλνλμ§ μ΄ν΄νμ§ λͺ»ν©λλ€.
μ΄μ μ΄ WAF μ νμ 보기 μ νμ΄ μμΌλ©° μ€λλ κ³ΌμΉ΄λͺ°λ¦¬ μ©κΈ°λ₯Ό νμ±νν΄μΌ ν©λλ€.
λ‘κ·Έλ λ€μκ³Ό κ°μ΅λλ€.
{"log":"12:59:14.168 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:14.168982605Z"}
{"log":"12:59:15.477 [http-nio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:15.477692225Z"}
1λ¨κ³;κ°λ¨ν μμ - μ μ©ν μ 보: https://github.com/fail2ban/fail2ban/issues/2645#issuecomment -592032811
곡μ₯!
fail2ban-regex -v \
'19:48:16.995 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user "dfg" failed.' \
'\b[Aa]uthentication attempt from \[<HOST>(?:,[^\]]*)?\] (?:for user (?:"[^"]*" )?)?failed\.\s*$'
2 λ¨κ³; λ μ§ ν¨ν΄ μΆκ°; λμμ΄ λλ https://github.com/fail2ban/fail2ban/issues/2592#issuecomment -573119939
μ€ν¨ :(
fail2ban-regex -v \
--datepattern='^\{"log":"%%H:%%M:%%S\.%%f+\s+' \
'"log":"19:48:16.995 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user "dfg" failed."' \
'\b[Aa]uthentication attempt from \[<HOST>(?:,[^\]]*)?\] (?:for user (?:"[^"]*" )?)?failed\.\s*$'
κ·Έλ¦¬κ³ μ 체 λ‘κ·Έ λ¬Έμμ΄μ μ¬μ©ν©λλ€. "n","stream":"stdout","time":"2020-11-22T11:59:15.477692225Z"" Step1λ NULL μΌμΉ νλͺ©μ λ°νν©λλ€.
μ¬κΈ°μ λ λ²μ§Έλ‘ μ λ₯Ό λμμ£Όμκ² μ΅λκΉ?
κ΅¬μ± νμΌμμλ§(μ: νν° λλ κ°μ₯μμ) %
λ₯Ό %%
λ‘ μ΄μ€μΌμ΄νν΄μΌ ν©λλ€. λͺ
λ Ήμ€μμλ μ¬μ ν λ¨μΌ λ¬Έμμ¬μΌ νλ―λ‘
-fail2ban-regex -v --datepattern='^\{"log":"%%H:%%M:%%S\.%%f+\s+' ...
+fail2ban-regex -v --datepattern='^\{"log":"%H:%M:%S\.%f+\s+' ...
REμ κ΄ν΄μλ, λΉμ μ (μ΄) λ³ν (λν μ¬λ°λ₯Έ datepattern ν¬ν¨)νμ§ μμ
, λ©μμ§κ° λλμ§ μμ΅λλ€ λλ¬Έμ failed.
(λλ¬Έμ μ΅μ’
μ΅μ»€ $
μμ failed\.\s*$
), κ·Έλμ μ κ·μμ "log":"value"
μ μλ κ°μ λ΄μ©μ μ μ©λ μ μμ§λ§ jsonμ΄ μ μ¬νκ² λ³΄μ΄κ³ λ λ§μ λ°μ΄ν°λ₯Ό ν¬ν¨νκ³ μΌλΆ κ΅¬μ‘°λ‘ λ¬Άμ¬ μκ³ λ€λ₯΄κ² μ΄μ€μΌμ΄νλ μ 체 λ©μμ§μλ μ μ©ν μ μμ΅λλ€(μ: for user \"...
λ°±μ¬λμ μ°Έκ³
λλ λ€μκ³Ό κ°μ΄ ν κ²μ λλ€.
$ msg='{"log":"12:59:14.168 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.8.5, 172.17.0.1] for user \"admin\" failed.\n","stream":"stdout","time":"2020-11-22T11:59:14.168982605Z"}'
$ dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%z"\}$'
$ re='^\{"log"\s*:\s*"\S+\s+\[[^\]]+\]\s+WARN\s+\S+\s+-\s+[Aa]uthentication attempt from \[<ADDR>(?:,[^\]]*)?\] (?:for user (?:\\"<F-USER>[^"]*</F-USER>\\" )?)?failed\.'
$ fail2ban-regex -v --datepattern="$dp" "$msg" "$re"
...
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^\{"log"\s*:\s*"\S+\s+\[[^\]]+\]\s+WARN\s+\S+\s+-\s+[Aa]uthentication attempt from \[<ADDR>(?:,[^\]]*)?\] (?:for user (?:\\"<F-USER>[^"]*</F-USER>\\" )?)?failed\.
| 192.168.8.5 Sun Nov 22 12:59:14 2020
`-
...
Date template hits:
|- [# of hits] date format
| [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
# newer version can output found failure data (rows):
$ fail2ban-regex -o row --datepattern="$dp" "$msg" "$re"
['192.168.8.5', 1606046354, {'ip6': None, 'user': 'admin', 'ip4': '192.168.8.5'}],
μ΄κ²μ λ λ
νΉνκ³ μμλΆν° κ³ μ λλ©° λ μ§μ ν¨κ» λ³΄λ€ μ νν νμμ€ν¬νλ₯Ό μν΄ datepatternμ μ¬μ©ν©λλ€(UTCλ‘, λ‘κ·Έ λμμ).
λν fail2banμ failregex
μμλκΈ° μ μ datepattern
μΌμΉνλ λ©μμ§μ μΌλΆλ₯Ό μλΌλ
λλ€.
μμμ μ½κ°μ μ€λ₯κ° λ°μνμ΅λλ€(λ©μμ§ μ
λ°μ΄νΈ) - Z
(GMT κΈ°νΈ)λ₯Ό μΈμνλ €λ©΄ μμ μ΄λ¦ ν ν° %Z
λμ μμ μ€νμ
ν ν°( %z
)μ μ¬μ©ν΄μΌ ν©λλ€. %Z
):
-dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%Z"\}$'
+dp=',"time"\s*:\s*"%Y-%m-%dT%H:%M:%S\.%f\d*%z"\}$'
...
-| 192.168.8.5 Sun Nov 22 11:59:14 2020
+| 192.168.8.5 Sun Nov 22 12:59:14 2020
...
-| [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone name"\}$
+| [1] ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$
κ°μ¬ν©λλ€!
λΉμ μ λμμΌλ‘ μμνκ³ μ€ννμ΅λλ€. μ λ§ λλ¨ν©λλ€!
μ‘°μΈ μΆκ°:
fail2ban.datedetector [20911]: INFO λ μ§ ν¨ν΄ ',"time"\\s*:\\s*"%Y-%m-%dT%H:%M:%S\\.%f\\d*%z"\\}$'
: ,"time"\s*:\s*"Year-Month-DayT24hour:Minute:Second\.Microseconds\d*Zone offset"\}$
λ§μ§λ§ μ§λ¬Έμ
λλ€. λλ fail2ban.filterμ λν μμΌλ‘μ μμ
λμ μ€μ΄κ³ μΆμ΅λλ€ :)
λ΄κ° ν μ μλ μ΅μ μ λ‘κ·Έ κ²½λ‘λ₯Ό μ μνλ κ²μ΄ μ’μ μκ°μ΄λΌκ³ μκ°νμ΅λλ€. ( 컨ν
μ΄λ μ
λ°μ΄νΈ ( id λ³κ²½ λ±. μ¬κΈ°μμλ ν΄λΉλμ§ μμ )
logpath = /media/data/docker/containers/*/*-json.log
λΆν°
logpath = /media/data/docker/containers/5e2543bbe77a52ff310073fdfb4183fa3fda6a3dd98294b48a081517baa20eb4/5e2543bbe77a52ff310073fdfb4183fa3fda6a3dd98294b48a081517baa20eb4-json.log \
μ΄κ²μ μ€λ₯λ‘ μ€νλ©λλ€.
λ΄κ° ν μ μλ μΌ?
fail2ban.filterμ λν ν₯ν μμ λμ μ€μ΄κ³ μΆμ΅λλ€.
λ΄κ° ν μ μλ μ΅μ μ λ‘κ·Έ κ²½λ‘λ₯Ό μ μνλ κ²μ΄ μ’μ μκ°μ΄λΌκ³ μκ°νμ΅λλ€.
μ€λ§. νμ¬ fail2banμ μμ μ ν λ²λ§ glob λ³΄κ° λ° κ²μμ μννκΈ° λλ¬Έμ
λλ€(λ¬Έμ #1379μ μμ§ μ½μ΄μ λ³ν©λμ§ μμ λ§μ μ€ν λΆκΈ°κ° μμ).
κ·Έλμ λΉμ μ μλλ μ무κ²λ λ°κΎΈμ§ μμμ΅λλ€.
λ΄κ° ν μ μλ μΌ?
μ, \
λ€μ .log
\
νν λ°±μ¬λμλ₯Ό μ κ±°ν©λλ€. :)
(μ ν μ¬ν) λͺ¨λ λ‘κ·Έ κ²½λ‘μ λ λ²μ§Έ 맀κ°λ³μλ head
λλ tail
μμ΅λλ€.
λ€μ ν λ²: κ°μ¬ν©λλ€!
λ§₯μ£Όλ λ΄κΊΌμΌ!
κ°μ¬ν©λλ€!!! κ°μ¬ν©λλ€!
(λ§₯μ£ΌλΌλ©΄ μ¦κΈ°κ² μ§λ§.. μν©μ λ°λΌ νλκΆμ΄ λ κ² κ°μμ;;)
λ€μ νλ² κ°μ¬ν©λλ€!