fail2ban : l'ip sera-t'elle bannie ?

**Christophe Charron** · 02/05/2008, 19h16

Bonjour, voulant bannir une fois pour toutes ce genre de malfaisants

89.215.11.138 - - [29/Apr/2008:07:41:45 +0200] "POST /phpmyadmin/main.php HTTP/1.0" 404 324 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
89.215.11.138 - - [29/Apr/2008:07:42:10 +0200] "POST /phpmyadmin0/main.php HTTP/1.0" 404 325 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
89.215.11.138 - - [29/Apr/2008:07:42:34 +0200] "POST /phpmyadmin1/main.php HTTP/1.0" 404 325 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
89.215.11.138 - - [29/Apr/2008:07:42:58 +0200] "POST /phpmyadmin2/main.php HTTP/1.0" 404 325 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
89.215.11.138 - - [29/Apr/2008:07:43:22 +0200] "POST /pma/main.php HTTP/1.0" 404 317 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
212.45.52.226 - - [20/Apr/2008:16:03:16 +0200] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 330 "-" "-"
212.45.52.226 - - [20/Apr/2008:16:03:16 +0200] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 330 "-" "-"
212.45.52.226 - - [20/Apr/2008:16:03:16 +0200] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 330 "-" "-"
212.45.52.226 - - [20/Apr/2008:16:03:16 +0200] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 330 "-" "-"
212.45.52.226 - - [20/Apr/2008:16:03:16 +0200] "GET /phpMyAdmin-2.5.5-rc1/main.php HTTP/1.0" 404 334 "-" "-"
212.45.52.226 - - [20/Apr/2008:16:03:16 +0200] "GET /phpMyAdmin-2.5.5-rc2/main.php HTTP/1.0" 404 334 "-" "-"

j'ai fait un petit intrus-01.conf qui contient le filtre suivant

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

failregex = <HOST>*.*"(GET|POST).*/main.php HTTP/1.0" 404.*

Le résultat est ci-après :

ns29364 ~ # fail2ban-regex /home/log/test01.log /etc/fail2ban/filter.d/intrus-01.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/intrus-01.conf
Use log file : /home/log/test01.log

Results
=======

Failregex:
[1] <HOST>*.*"(GET|POST).*/main.php HTTP/1.0" 404.*

Number of matches:
[1] 11 match(es)

Addresses found:
[1]
89.215.11.138 (Tue Apr 29 07:41:45 2008)
89.215.11.138 (Tue Apr 29 07:42:10 2008)
89.215.11.138 (Tue Apr 29 07:42:34 2008)
89.215.11.138 (Tue Apr 29 07:42:58 2008)
89.215.11.138 (Tue Apr 29 07:43:22 2008)
212.45.52.226 (Sun Apr 20 16:03:16 2008)
212.45.52.226 (Sun Apr 20 16:03:16 2008)
212.45.52.226 (Sun Apr 20 16:03:16 2008)
212.45.52.226 (Sun Apr 20 16:03:16 2008)
212.45.52.226 (Sun Apr 20 16:03:16 2008)
212.45.52.226 (Sun Apr 20 16:03:16 2008)

Date template hits:
0 hit: Month Day Hour:Minute:Second
0 hit: Weekday Month Day Hour:Minute:Second Year
0 hit: Weekday Month Day Hour:Minute:Second
0 hit: Year/Month/Day Hour:Minute:Second
11 hit: Day/Month/Year:Hour:Minute:Second
0 hit: Year-Month-Day Hour:Minute:Second
0 hit: TAI64N
0 hit: Epoch

Success, the total number of match is 11

However, look at the above section 'Running tests' which could contain important
information.

Ma question est : fail2ban ne va-t'il pas essayer de bannir les adresses du type 89.215.11.138 (Tue Apr 29 07:41:45 2008) et échouer puisqu'il y a la date surnuméraire? A moins que mon filtre soit mal formuler, ce qui est probable car je suis débutant de chez débutant dans les expréssions régulières.

D'avance, merci pour vos réponses et éclaircissements.

fail2ban : l'ip sera-t'elle bannie ?

Sécurité

Mode arborescent

Discussions similaires

Partager

Partager