问题描述

我想找到403个请求并将其禁止，这是我的日志格式

I want to find the 403 requests and ban them,here is my log format

112.253.6.182 - - [08/Sep/2014:17:42:56 -0400] "GET / HTTP/1.1" 403 579 "baidu" "Mozilla/4.0" 50.117.86.72
106.37.177.251 - - [08/Sep/2014:17:42:56 -0400] "GET /index.php HTTP/1.1" 404 576 "baidu" "Mozilla/4.0" 204.44.65.173
190.254.173.14 - - [08/Sep/2014:17:42:56 -0400] "GET /index.php HTTP/1.1" 404 576 "baidu" "Mozilla/4.0" 204.44.65.173
41.222.196.37 - - [08/Sep/2014:17:42:56 -0400] "GET / HTTP/1.1" 403 579 "baidu" "Mozilla/4.0" 50.117.86.72

我的failreg是:

and my failreg is:

failregex = ^<HOST> -.*"(GET|POST).*.php.*\ 403\ .*$

ignoreregex =

ignoreregex =

但是当我使用fail2ban-regex命令对其进行测试时，它会在下面返回

but when I test it using fail2ban-regex command , it returns below

Failregex: 32 total
|-  #) [# of hits] regular expression
|   1) [32] ^<HOST> -.*"(GET|POST).*.php.*\ 403\ .*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3266] Day/MONTH/Year:Hour:Minute:Second
`-

Lines: 3266 lines, 0 ignored, 32 matched, 3234 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 3234 lines

您能帮我做一个正则表达式来匹配403请求并打印ip吗?预先感谢

could you help me to make a regex to match 403 requests and print the ip out . Thanks in advance

推荐答案

首先，您的示例日志条目是/的403s和/index.php的404s，而您的正则表达式试图匹配 php 扩展名和403代码.难怪你没有比赛.

First, your example log entrys are 403s for /, and 404s for /index.php, whereas your regex tries to match php extension and 403 code. There's no wonder you have no match.

因此，如果您感兴趣的只是与路径无关的403错误条目，这应该可以工作.

So if your interest is only a 403 error entry regardless of path, this should work.

^<HOST> .* "(GET|POST) [^"]+" 403

要调试正则表达式，可以使用此代码段.请注意， fail2ban 将<HOST>预处理为(?:::f{4,6}:)?(?P<host>\S+).

To debug your regular expression you can use this snippet. Note that <HOST> is preprocessed to (?:::f{4,6}:)?(?P<host>\S+) by fail2ban.

这篇关于fail2ban常规在nginx中找到403请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！