查看“自动屏蔽多次登录失败的IP”的源代码

=介绍=
当你允许外部网络访问Domoticz时，建议使用'fail2ban'来确保系统的安全。<br>
[http://www.fail2ban.org/wiki/index.php/Main_Page Fail2ban]是一个在指定的日志文件中查找失败的登录尝试的应用程序。Domoticz从3507beta版开始将登录失败尝试及来源IP地址记录在日志文件中，通过fail2ban监测日志文件来并处理(比如屏蔽来源IP)。<br><br>

英文论坛用户'manuloup'创建了一个不错的教程[http://domoticz.com/forum/viewtopic.php?f=6&t=8645&p=61108#p60259]。下面是教程中的步骤

=设置fail2ban=
按照以下步骤设置fail2ban.
==安装fail2ban==
第一步当然是安装fail2ban:<br>
<code>sudo apt-get install fail2ban</code>
==将Domoticz日志文件加入到fail2ban==
首先，需要告诉fail2ban应该监测的日志文件在哪里。<br>

<syntaxhighlight lang="bash">cd /etc/fail2ban
sudo cp jail.conf jail.local
sudo nano jail.local</syntaxhighlight>编辑窗口打开后，在文件末尾加入以下信息:<br>
<nowiki>[domoticz]

enabled  = true
port     = 8080
filter   = domoticz
logpath  = /var/log/domoticz.log
maxretry = 3
findtime = 3600</nowiki>
将端口port及日志路径logpath改为你自己的设置，maxretry是最大尝试次数，登录失败超过3次后屏蔽。<br>

如果/var/log/目录中没有'domoticz.log'文件，你需要先启用Domoticz的日志选项，修改domoticz.sh文件:
<syntaxhighlight lang="bash">sudo nano /etc/init.d/domoticz.sh</syntaxhighlight>
去掉<code>#DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"</code>开头的井号#，
改完后应该是这样的: <br>
<code>DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"</code><br>
保存后重启Domoticz: 
<syntaxhighlight lang="bash">sudo /etc/init.d/domoticz.sh restart</syntaxhighlight>

但要注意的是，日志文件很快就会变大。建议使用类似[http://linuxcommand.org/man_pages/logrotate8.html logrotate]的工具。在树莓派上(使用SD卡)不建议开启日志，会减少SD卡寿命。如何向内存中写入日志，请查看[http://domoticz.com/forum/viewtopic.php?f=4&t=8863 英文论坛]。<br><br>

想要查看日志中我们需要的信息，执行<syntaxhighlight lang="bash">cat /var/log/domoticz.log | grep 'Incoming'</syntaxhighlight>。<br>
会返回如下结果:
 <nowiki>2015-11-10 17:51:55.765  Incoming connection from: 127.0.0.1
2015-11-10 17:52:02.220  Incoming connection from: 192.168.4.1
2015-11-10 17:52:03.932  Incoming connection from: 192.168.4.29
2015-11-10 17:56:49.103  Incoming connection from: 192.168.4.29
</nowiki>

==向fail2ban中加入Domoticz搜索规则==
想要fail2ban找到需要屏蔽的IP，我们需要为fail2ban定义一些搜索规则(正则表达式)。<br>
新建一个配置文件: <syntaxhighlight lang="bash">sudo nano /etc/fail2ban/filter.d/domoticz.conf</syntaxhighlight>，内容如下:<br>
 <nowiki>
# Fail2Ban configuration file for domoticz
#
# Author: Domoticz user 'ThinkPad'
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = Error: Failed login attempt from <HOST> for user '.*' !   							
            Error: Failed login attempt from <HOST> for '.*' !
            Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\)

#First line is for 'Login Page' authentication mode of Domoticz
#Second line is for 'Basic-Auth' authentication mode in Domoticz
#
#
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
</nowiki>
保存并退出编辑。

==(可选)将不想屏蔽的IP加入IP白名单==
如果不想屏蔽局域网中的IP，将IP加入fail2ban的白名单。<br><br>

编辑jail.local文件:<syntaxhighlight lang="bash">sudo nano /etc/fail2ban/jail.local</syntaxhighlight>
找到'ignoreip'，改成这样的格式: <br>
<code>ignoreip = 127.0.0.1/8 192.168.1.0/24</code>
将192.168.1.0改为你本地的IP范围。如果你还有其它要加入的网络，直接在后面追加(IP之间通过空格分隔)。<br>
详细信息请查看 http://www.fail2ban.org/wiki/index.php/Whitelist

==重启fail2ban==
要使设置生效，需要重启fail2ban
<syntaxhighlight lang="bash">sudo /etc/init.d/fail2ban restart</syntaxhighlight>
=测试fail2ban=
==测试匹配规则==
要进行快速测试，您可以创建一个提供给fail2ban测试的正则表达式文件。执行: <syntaxhighlight lang="bash" inline>sudo nano wronglogin.txt</syntaxhighlight><br>
加入以下内容:<br>
 <nowiki>2015-11-03 18:35:51.908  Error: Failed login attempt from 37.130.158.115 for user 'testing123' !
2015-11-10 18:35:08.105  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 37.130.158.115)</nowiki><br>
 
然后执行:
<syntaxhighlight lang="bash">fail2ban-regex wronglogin.txt /etc/fail2ban/filter.d/domoticz.conf</syntaxhighlight>
这时还不会屏蔽任何IP，只是看看fail2ban能不能通过正则表达式匹配到我们提供的文件(wronglogin.txt)中的信息。<br><br>
如果正则表达式没问题，应该返回如下结果:<br>
 <nowiki>
Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [1] Error: Failed login attempt from <HOST> for user '.*' !
|   2) [1] Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\)
`-
</nowiki>
你可以看到结果中，一行匹配第一条正则表达式(Domoticz 'Login Page'验证方式)，一行匹配第二条正则表达式(Domoticz 'Basic-Auth'验证方式).<br>
匹配结果中的数量应该等于你在测试日志中写入的'failed login attempts'的行数.

==测试实时设置==
用手机测试，三次登录失败后，手机的IP被屏蔽了。<br>
可以运行<syntaxhighlight lang="bash" inline>sudo iptables -L</syntaxhighlight>来查看防火墙状态，文件末尾中的'DROP'部分，列出了被屏蔽的IP。
 <nowiki>
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere             multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
DROP       all  --  37.140.158.148       anywhere
RETURN     all  --  anywhere             anywhere
</nowiki>
其中的37.140.158.148就是被屏蔽的手机的IP(手机的IP可以通过访问 http://ip138.com/ 来获取).

=从屏蔽列表中移除IP=
执行以下命令:<br>
<syntaxhighlight lang="bash">sudo fail2ban-client set domoticz unbanip 你的IP</syntaxhighlight>
这里使用规则名'domoticz'，要找到对应的规则名，执行: <syntaxhighlight lang="bash" inline>sudo fail2ban-client status</syntaxhighlight>

取消屏蔽后，查看防火墙状态 <syntaxhighlight lang="bash">sudo iptables -L</syntaxhighlight>
文件末尾中的'DROP'部分已经没有了:<br>
 <nowiki>
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere        multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere</nowiki>



[[Category:Domoticz]]
[[Category:手册]]
[[Category:设置]]
[[Category:安全]]
[[Category:Linux]]
[[Category:树莓派]]
[[Category:OSX]]