'Re: [Fail2ban-users] Any way to increase ban probability for previously banned IPs?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fail2ban-users
Subject:    Re: [Fail2ban-users] Any way to increase ban probability for previously banned IPs?
From:       Philip Warner <pjw () rhyme ! com ! au>
Date:       2017-06-02 6:50:11
Message-ID: e1868217-d323-b232-8366-e8da1c369b5e () rhyme ! com ! au
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks all. For those who care, this is a sample of what I ended up with.

I'd be very interested to know if I can define filter attributes in the jail 
definition. ie. define '|_parent_jailname|' in the jail; then I would only need 
one filter definition in total.

----- Filter: recidive-postfix-sasl.conf ------

|[INCLUDES]||
||
||# Read common prefixes. If any customizations available -- read them from||
||# common.local||
||before = common.conf||
||
||[Definition]||
||
||_daemon = fail2ban\.actions\s*||
||
||# The name of the jail that this filter is used for. In jail.conf, name the||
||# jail using this filter 'recidive', or change this line!||
||_jailname_prefix = recidive||
||_parent_jailname = postfix-sasl||
||
||failregex   = ^(%(__prefix_line)s| 
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(%(_parent_jailname)s)(?:.*)\]\s+Ban\s+<HOST>\s*$||
||ignoreregex = ^(%(__prefix_line)s| 
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[%(_jailname_prefix)s(?:.*)\]\s+Ban\s+<HOST>\s*$||
||
||
||[Init]||
||
||journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5||
|

-------- Jail: recidive-postfix-sasl --------------

|[recidive-postfix-sasl]|||
|||enabled  = true|||
|||logpath  = /var/log/fail2ban.log|||
|||port     = smtp,465,submission,imap3,imaps,pop3,pop3s|||
|||bantime  = 604800  ; 1 week|||
|||findtime = 86400   ; 1 day|||
|||maxretry = 4|||
||||
||


On 2/06/2017 3:23 PM, Mark Costlow wrote:
> I was thinking about to deal with the issue you rose in your first
> message, then saw this one.  Yup, I think that would work fine.  :-)
>
> Mark
>
> On Fri, Jun 02, 2017 at 02:27:26PM +1000, Philip Warner wrote:
>> Or did I miss the point, and should I clone and create multiple recidive-like
>> jails, one for each service I monitor?
>>
>>
>> On 2/06/2017 2:13 PM, Philip Warner wrote:
>>> The only problem I have with recidiv is that it blocks all ports from a given
>>> IP; I would much prefer to block only the attacked ports. This is especially
>>> important when the attacks are coming from behind a large ISPs NAT firewall.
>>


[Attachment #5 (text/html)]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Thanks all. For those who care, this is a sample of what I ended
      up with. <br>
    </p>
    <p>I'd be very interested to know if I can define filter attributes
      in the jail definition. ie. define '<code>_parent_jailname</code>'
      in the jail; then I would only need one filter definition in
      total.<br>
    </p>
    <p>----- Filter: recidive-postfix-sasl.conf ------</p>
    <p><code>[INCLUDES]</code><code><br>
      </code><code><br>
      </code><code># Read common prefixes. If any customizations
        available -- read them from</code><code><br>
      </code><code># common.local</code><code><br>
      </code><code>before = common.conf</code><code><br>
      </code><code><br>
      </code><code>[Definition]</code><code><br>
      </code><code><br>
      </code><code>_daemon = fail2ban\.actions\s*</code><code><br>
      </code><code><br>
      </code><code># The name of the jail that this filter is used for.
        In jail.conf, name the</code><code><br>
      </code><code># jail using this filter 'recidive', or change this
        line!</code><code><br>
      </code><code>_jailname_prefix = recidive</code><code><br>
      </code><code>_parent_jailname = postfix-sasl</code><code><br>
      </code><code><br>
      </code><code>failregex     = ^(%(__prefix_line)s|
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(%(_parent_jailname)s)(?:.*)\]\s+Ban\s+&lt;HOST&gt;\s*$</code><code><br>
  </code><code>ignoreregex = ^(%(__prefix_line)s|
%(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[%(_jailname_prefix)s(?:.*)\]\s+Ban\s+&lt;HOST&gt;\s*$</code><code><br>
  </code><code><br>
      </code><code><br>
      </code><code>[Init]</code><code><br>
      </code><code><br>
      </code><code>journalmatch = _SYSTEMD_UNIT=fail2ban.service
        PRIORITY=5</code><code><br>
      </code></p>
    <p>-------- Jail: recidive-postfix-sasl --------------<br>
    </p>
    <p><code>[recidive-postfix-sasl]</code><code></code><br>
      <code></code><code>enabled   = true</code><code></code><br>
      <code></code><code>logpath   = /var/log/fail2ban.log</code><code></code><br>
      <code></code><code>port         =
        smtp,465,submission,imap3,imaps,pop3,pop3s</code><code></code><br>
      <code></code><code>bantime   = 604800   ; 1 week</code><code></code><br>
      <code></code><code>findtime = 86400     ; 1 day</code><code></code><br>
      <code></code><code>maxretry = 4</code><code></code><br>
      <code></code><code></code><br>
      <code></code><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 2/06/2017 3:23 PM, Mark Costlow
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:20170602052331.GA88081@same.swcp.com">
      <pre wrap="">I was thinking about to deal with the issue you rose in your first
message, then saw this one.  Yup, I think that would work fine.  :-)

Mark

On Fri, Jun 02, 2017 at 02:27:26PM +1000, Philip Warner wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Or did I miss the point, and should I clone and create multiple \
recidive-like  jails, one for each service I monitor?


On 2/06/2017 2:13 PM, Philip Warner wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">The only problem I have with recidiv is that it blocks all \
ports from a given  IP; I would much prefer to block only the attacked ports. This is \
especially  important when the attacks are coming from behind a large ISPs NAT \
firewall.  </pre>
        </blockquote>
        <pre wrap="">

</pre>
      </blockquote>
      <pre wrap="">
</pre>
    </blockquote>
    <br>
  </body>
</html>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic