试图阻止在fail2ban上使用regex的访问者
我收到大量的PHP文件请求,这些文件在我的wordpress中不存在。 它们显示在nginx错误日志中,如下两个示例:试图阻止在fail2ban上使用regex的访问者,regex,nginx,fail2ban,Regex,Nginx,Fail2ban,我收到大量的PHP文件请求,这些文件在我的wordpress中不存在。 它们显示在nginx错误日志中,如下两个示例: 2019/06/24 03:16:43 [error] 4201#4201: *17573871 FastCGI sent in stderr: "Unable to open primary script: /var/www/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (No such file or dir
2019/06/24 03:16:43 [error] 4201#4201: *17573871 FastCGI sent in stderr: "Unable to open primary script: /var/www/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (No such file or directory)" while reading response header from upstream, client: 172.68.189.50, server: mywebsite.net, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "mywebsite.net"
2019/06/24 03:16:43 [error] 4201#4201: *17573871 FastCGI sent in stderr: "Unable to open primary script: /var/www/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (No such file or directory)" while reading response header from upstream, client: 172.68.189.50, server: mywebsite.net, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "mywebsite.net"
我试过制作一个noscript过滤器
在文件/etc/fail2ban/jail.local中,我输入:
[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx/error.log
maxretry = 2
在文件/etc/fail2ban/filter.d/nginx-noscript.conf中,我输入:
[Definition]
failregex = \[error\] \d+#\d+: \*\d+ (FastCGI sent in stderr: "Unable to open primary script:)
ignoreregex =
但是这个过滤器没有捕获这些类型的404。systemctl重新启动fail2ban
后,fail2ban日志显示这些错误消息
2019-06-24 16:11:05,548 fail2ban.filter [6182]: ERROR No failure-id group in '\[error\] \d+#\d+: \*\d+ (FastCGI sent in stderr: "Unable to open primary script:)'
2019-06-24 16:11:05,548 fail2ban.transmitter [6182]: WARNING Command ['set', 'nginx-noscript', 'addfailregex', '\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)'] has failed. Received RegexException('No failure-id group in \'\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)\'',)
2019-06-24 16:11:05,549 fail2ban [6182]: ERROR NOK: ('No failure-id group in \'\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)\'',)
我做错了什么。这类nginx错误日志的完整正则表达式是什么。这应该有效(对于fail2ban>=0.10):
failregex=^\s*\[error\]\d+\\*\d+:\*\d+FastCGI在stderr中发送:“从上游读取响应头时无法打开主脚本:[^”]*,客户端:
如果您有较旧的版本(0.9或更低),请使用
而不是
(最好使用usedns=no
禁用监狱DNS查找).删除^
和$
锚,它们需要完整的字符串匹配。它仍然不起作用@WiktorStribiżewIt.@WiktorStribiżew fail2ban regex配置中还有一些其他问题。我添加了这些错误消息。
failregex = ^\s*\[error\] \d+#\d+: \*\d+ FastCGI sent in stderr: "Unable to open primary script: [^"]*" while reading response header from upstream, client: <ADDR>