python - 数字以外の文字の fail2ban パターンは、入力を数字と一致させます

Question

これは私の入力文字列です:

myserver:/etc/fail2ban # cat one_line.txt
12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"

^<HOST>.*$で始まり、で終わる正規表現を進化させようとした^<HOST> - - \[2.*$のですが、最後に奇妙なことが起こりました。

最後のパターンの繰り返しが一致しなくなりました。このように言うと強制的に一致させることができ^<HOST> - - \[\D.*$ます。

はぁ？これは、数字以外の文字が左角括弧の後に続くことを意味します!

それがどのように進化したかを示すために、私が行った手順を印刷します。

誰かが私にこの奇妙な行動を説明してくれることを願っています.

環境情報:

myserver:/etc/fail2ban # fail2ban-regex --version
fail2ban-regex 0.9.4
myserver:/etc/fail2ban # python --version
Python 2.7.17

そして、フィルター式の反復的な進化に従います。

反復 1: 一致 - 期待どおり

myserver:/etc/fail2ban # fail2ban-regex -l heavydebug one_line.txt '^<HOST>.*$'

Running tests
=============

D: Setting usedns = warn for Filter(None)
D: Created Filter(None)
Use   failregex line : ^<HOST>.*$
Use         log file : one_line.txt
Use         encoding : UTF-8

D: Working on line u'12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"'
D: Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Got time 1500967600.000000 for "u'25/Jul/2017:09:26:40 +0200'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Looking for failregex match of [(u'12.123.123.12 - - [', u'25/Jul/2017:09:26:40 +0200', u'] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"')]
D: Matched FailRegex('^(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w).*$')
D: Sorting the template list
D: Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 1 hits

Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^<HOST>.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

イテレーション 2: 一致 - 期待どおり

myserver:/etc/fail2ban # fail2ban-regex -l heavydebug one_line.txt '^<HOST> - - .*$'

Running tests
=============

D: Setting usedns = warn for Filter(None)
D: Created Filter(None)
Use   failregex line : ^<HOST> - - .*$
Use         log file : one_line.txt
Use         encoding : UTF-8

D: Working on line u'12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"'
D: Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Got time 1500967600.000000 for "u'25/Jul/2017:09:26:40 +0200'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Looking for failregex match of [(u'12.123.123.12 - - [', u'25/Jul/2017:09:26:40 +0200', u'] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"')]
D: Matched FailRegex('^(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w) - - .*$')
D: Sorting the template list
D: Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 1 hits

Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^<HOST> - - .*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

反復 3: 一致 - 期待どおり

myserver:/etc/fail2ban # fail2ban-regex -l heavydebug one_line.txt '^<HOST> - - \[.*$'

Running tests
=============

D: Setting usedns = warn for Filter(None)
D: Created Filter(None)
Use   failregex line : ^<HOST> - - \[.*$
Use         log file : one_line.txt
Use         encoding : UTF-8

D: Working on line u'12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"'
D: Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Got time 1500967600.000000 for "u'25/Jul/2017:09:26:40 +0200'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Looking for failregex match of [(u'12.123.123.12 - - [', u'25/Jul/2017:09:26:40 +0200', u'] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"')]
D: Matched FailRegex('^(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w) - - \\[.*$')
D: Sorting the template list
D: Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 1 hits

Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^<HOST> - - \[.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

イテレーション 4.1: 失敗 - なぜ ???

myserver:/etc/fail2ban # fail2ban-regex -l heavydebug one_line.txt '^<HOST> - - \[2.*$'

Running tests
=============

D: Setting usedns = warn for Filter(None)
D: Created Filter(None)
Use   failregex line : ^<HOST> - - \[2.*$
Use         log file : one_line.txt
Use         encoding : UTF-8

D: Working on line u'12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"'
D: Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Got time 1500967600.000000 for "u'25/Jul/2017:09:26:40 +0200'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Looking for failregex match of [(u'12.123.123.12 - - [', u'25/Jul/2017:09:26:40 +0200', u'] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"')]
D: Sorting the template list
D: Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 1 hits

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
`-

イテレーション 4.2: 失敗 - なぜ ???

myserver:/etc/fail2ban # fail2ban-regex -l heavydebug one_line.txt '^<HOST> - - \[\d.*$'

Running tests
=============

D: Setting usedns = warn for Filter(None)
D: Created Filter(None)
Use   failregex line : ^<HOST> - - \[\d.*$
Use         log file : one_line.txt
Use         encoding : UTF-8

D: Working on line u'12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"'
D: Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Got time 1500967600.000000 for "u'25/Jul/2017:09:26:40 +0200'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Looking for failregex match of [(u'12.123.123.12 - - [', u'25/Jul/2017:09:26:40 +0200', u'] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"')]
D: Sorting the template list
D: Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 1 hits

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.00 sec]

|- Missed line(s):
|  12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
`-

イテレーション 4.3: 一致 - なぜ ???

myserver:/etc/fail2ban # fail2ban-regex -l heavydebug one_line.txt '^<HOST> - - \[\D.*$'

Running tests
=============

D: Setting usedns = warn for Filter(None)
D: Created Filter(None)
Use   failregex line : ^<HOST> - - \[\D.*$
Use         log file : one_line.txt
Use         encoding : UTF-8

D: Working on line u'12.123.123.12 - - [25/Jul/2017:09:26:40 +0200] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"'
D: Matched time template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Got time 1500967600.000000 for "u'25/Jul/2017:09:26:40 +0200'" using template Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
D: Looking for failregex match of [(u'12.123.123.12 - - [', u'25/Jul/2017:09:26:40 +0200', u'] "GET /a/path/file.html HTTP/1.1" 200 1450 "http://example.com/a/path/file.html" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"')]
D: Matched FailRegex('^(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w) - - \\[\\D.*$')
D: Sorting the template list
D: Winning template: Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? with 1 hits

Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^<HOST> - - \[\D.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

事前にthx。

score 0 · Accepted Answer

https://fail2ban.readthedocs.io/en/latest/filters.html#regular-expressionsによると

[...]
Regular expressions (failregex, ignoreregex) assume that the date/time has been removed from the log line (this is just how fail2ban works internally ATM).

If the format is like ‘&lt;date...> error 1.2.3.4 is evil’ then you need to match the < at the start so regex should be similar to ‘^<> <HOST> is evil$’ using <HOST> where the IP/domain name appears in the log line.
[...]

それでおしまい！

python - 数字以外の文字の fail2ban パターンは、入力を数字と一致させます

1 に答える 1

Related

Reference