[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] Any way to increase ban probability for previously banned IPs?
From: Philip Warner <pjw () rhyme ! com ! au>
Date: 2017-06-02 6:50:11
Message-ID: e1868217-d323-b232-8366-e8da1c369b5e () rhyme ! com ! au
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks all. For those who care, this is a sample of what I ended up with.
I'd be very interested to know if I can define filter attributes in the jail
definition. ie. define '|_parent_jailname|' in the jail; then I would only need
one filter definition in total.
----- Filter: recidive-postfix-sasl.conf ------
|[INCLUDES]||
||
||# Read common prefixes. If any customizations available -- read them from||
||# common.local||
||before = common.conf||
||
||[Definition]||
||
||_daemon = fail2ban\.actions\s*||
||
||# The name of the jail that this filter is used for. In jail.conf, name the||
||# jail using this filter 'recidive', or change this line!||
||_jailname_prefix = recidive||
||_parent_jailname = postfix-sasl||
||
||failregex = ^(%(__prefix_line)s|
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(%(_parent_jailname)s)(?:.*)\]\s+Ban\s+<HOST>\s*$||
||ignoreregex = ^(%(__prefix_line)s|
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[%(_jailname_prefix)s(?:.*)\]\s+Ban\s+<HOST>\s*$||
||
||
||[Init]||
||
||journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5||
|
-------- Jail: recidive-postfix-sasl --------------
|[recidive-postfix-sasl]|||
|||enabled = true|||
|||logpath = /var/log/fail2ban.log|||
|||port = smtp,465,submission,imap3,imaps,pop3,pop3s|||
|||bantime = 604800 ; 1 week|||
|||findtime = 86400 ; 1 day|||
|||maxretry = 4|||
||||
||
On 2/06/2017 3:23 PM, Mark Costlow wrote:
> I was thinking about to deal with the issue you rose in your first
> message, then saw this one. Yup, I think that would work fine. :-)
>
> Mark
>
> On Fri, Jun 02, 2017 at 02:27:26PM +1000, Philip Warner wrote:
>> Or did I miss the point, and should I clone and create multiple recidive-like
>> jails, one for each service I monitor?
>>
>>
>> On 2/06/2017 2:13 PM, Philip Warner wrote:
>>> The only problem I have with recidiv is that it blocks all ports from a given
>>> IP; I would much prefer to block only the attacked ports. This is especially
>>> important when the attacks are coming from behind a large ISPs NAT firewall.
>>
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Thanks all. For those who care, this is a sample of what I ended
up with. <br>
</p>
<p>I'd be very interested to know if I can define filter attributes
in the jail definition. ie. define '<code>_parent_jailname</code>'
in the jail; then I would only need one filter definition in
total.<br>
</p>
<p>----- Filter: recidive-postfix-sasl.conf ------</p>
<p><code>[INCLUDES]</code><code><br>
</code><code><br>
</code><code># Read common prefixes. If any customizations
available -- read them from</code><code><br>
</code><code># common.local</code><code><br>
</code><code>before = common.conf</code><code><br>
</code><code><br>
</code><code>[Definition]</code><code><br>
</code><code><br>
</code><code>_daemon = fail2ban\.actions\s*</code><code><br>
</code><code><br>
</code><code># The name of the jail that this filter is used for.
In jail.conf, name the</code><code><br>
</code><code># jail using this filter 'recidive', or change this
line!</code><code><br>
</code><code>_jailname_prefix = recidive</code><code><br>
</code><code>_parent_jailname = postfix-sasl</code><code><br>
</code><code><br>
</code><code>failregex = ^(%(__prefix_line)s|
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(%(_parent_jailname)s)(?:.*)\]\s+Ban\s+<HOST>\s*$</code><code><br>
</code><code>ignoreregex = ^(%(__prefix_line)s|
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[%(_jailname_prefix)s(?:.*)\]\s+Ban\s+<HOST>\s*$</code><code><br>
</code><code><br>
</code><code><br>
</code><code>[Init]</code><code><br>
</code><code><br>
</code><code>journalmatch = _SYSTEMD_UNIT=fail2ban.service
PRIORITY=5</code><code><br>
</code></p>
<p>-------- Jail: recidive-postfix-sasl --------------<br>
</p>
<p><code>[recidive-postfix-sasl]</code><code></code><br>
<code></code><code>enabled = true</code><code></code><br>
<code></code><code>logpath = /var/log/fail2ban.log</code><code></code><br>
<code></code><code>port =
smtp,465,submission,imap3,imaps,pop3,pop3s</code><code></code><br>
<code></code><code>bantime = 604800 ; 1 week</code><code></code><br>
<code></code><code>findtime = 86400 ; 1 day</code><code></code><br>
<code></code><code>maxretry = 4</code><code></code><br>
<code></code><code></code><br>
<code></code><br>
</p>
<br>
<div class="moz-cite-prefix">On 2/06/2017 3:23 PM, Mark Costlow
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20170602052331.GA88081@same.swcp.com">
<pre wrap="">I was thinking about to deal with the issue you rose in your first
message, then saw this one. Yup, I think that would work fine. :-)
Mark
On Fri, Jun 02, 2017 at 02:27:26PM +1000, Philip Warner wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Or did I miss the point, and should I clone and create multiple \
recidive-like jails, one for each service I monitor?
On 2/06/2017 2:13 PM, Philip Warner wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The only problem I have with recidiv is that it blocks all \
ports from a given IP; I would much prefer to block only the attacked ports. This is \
especially important when the attacks are coming from behind a large ISPs NAT \
firewall. </pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic