加入收藏 | 设为首页 | 会员中心 | 我要投稿 李大同 (https://www.lidatong.com.cn/)- 科技、建站、经验、云计算、5G、大数据,站长网!
当前位置: 首页 > 百科 > 正文

多个sshd的正则表达式从…接收断开[preauth]

发布时间:2020-12-14 06:27:36 所属栏目:百科 来源:网络整理
导读:fail2ban正则表达式会捕获这些日志吗? Apr 9 08:48:28 server sshd[1856]: Received disconnect from 43.255.190.117: 11: [preauth]Apr 9 09:06:05 server sshd[1936]: Received disconnect from 43.255.191.159: 11: [preauth]Apr 9 09:06:10 server sshd
fail2ban正则表达式会捕获这些日志吗? 
Apr  9 08:48:28 server sshd[1856]: Received disconnect from 43.255.190.117: 11:  [preauth]
Apr  9 09:06:05 server sshd[1936]: Received disconnect from 43.255.191.159: 11:  [preauth]
Apr  9 09:06:10 server sshd[1938]: Received disconnect from 43.255.190.126: 11:  [preauth]
Apr  9 09:31:12 server sshd[2005]: Received disconnect from 43.255.190.123: 11:  [preauth]
Apr  9 09:37:06 server sshd[2013]: Received disconnect from 43.255.190.149: 11:  [preauth]
Apr  9 09:53:55 server sshd[2036]: Received disconnect from 43.255.190.149: 11:  [preauth]
Apr  9 10:16:59 server sshd[2368]: Received disconnect from 43.255.190.165: 11:  [preauth]
Apr  9 10:47:30 server sshd[3800]: Received disconnect from 43.255.190.150: 11:  [preauth]
Apr  9 11:04:01 server sshd[6855]: Received disconnect from 43.255.190.131: 11:  [preauth]

和/或与Bye Bye

Apr  9 12:29:59 server sshd[7764]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:00 server sshd[7766]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:01 server sshd[7768]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:03 server sshd[7776]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:04 server sshd[7778]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:05 server sshd[7780]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:06 server sshd[7782]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:07 server sshd[7784]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:08 server sshd[7786]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:10 server sshd[7788]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:11 server sshd[7790]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:12 server sshd[7792]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:13 server sshd[7794]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:14 server sshd[7796]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:15 server sshd[7798]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:17 server sshd[7800]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]

无论这些人在做什么,我都想要一个fail2ban规则.尽管尝试的频率很高,显然他们没有做任何其他事情来绊倒fail2ban.

您可以使用此规则: 
^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? [preauth]$

要使用fail2ban-regex或egrep对其进行测试,您可以从头开始剥离^%(__ prefix_line).将此行添加到/etc/fail2ban/filter.d/sshd.conf中的failregex变量中.

使用fail2ban-regex的运行给了我这些结果,确认规则匹配:

Running tests
=============

Use regex file : sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [11] ^s*(?:S+ )?(?:kernel: [d+.d+] )?(?:@vserver_S+ )?(?:(?:[d+])?:s+[[(]?sshd(?:(S+))?[])]?:?|[[(]?sshd(?:(S+))?[])]?:?(?:[d+])?:)?s*Received disconnect from <HOST>: 11: (Bye Bye)? [preauth]$
|
`- Number of matches:
[...]
   [11] 545 match(es)
[...]

(编辑:李大同)

【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
    相关内容
      推荐文章
        站长推荐
        热点阅读

          【免责声明】本站内容转载自互联网,其发布内容言论不代表本站观点,如果其链接、内容的侵犯您的权益,烦请提交相关链接至邮箱bqsm@foxmail.com我们将及时予以处理。

          建议您使用1920×1080分辨率、谷歌浏览器Google Chrome、Microsoft Edge以获得本站的最佳浏览效果

          Copygight © 2008-2022 https://www.lidatong.com.cn/ All Rights Reserved. 李大同