Re: [Fail2ban-users] multiple regex

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 20/06/13 20:30, Fabian Wenk wrote:
> Hello Daniel
> 
> On 18.06.2013 00:55, Daniel Black wrote:
>> On 17/06/13 19:14, Fabian Wenk wrote:
>> Thanks for this. I was thinking the same way when it was mentioned in
>> #252 so I created https://github.com/fail2ban/fail2ban/issues/257
> 
> I just looked at #252, I did not realize that there is also 
> TEST-NET-2 (198.51.100.0/24) and TEST-NET-3 (203.0.113.0/24) for 
> the same purpose. They were not present in the old RFC-3330.
> 
> With classless routing also 192.0.2.0/24 could be split into 
> several subnets, e.g. in 4 parts with each 64 addresses:
> 192.0.2.0/26 (192.0.2.0 - 192.0.2.63), 192.0.2.64/26, 
> 192.0.2.128/26 and 192.0.2.192/26
> 
> But yes, maybe it is easier to spot things when also the first 
> part of the IP address is different.

or the last.

> So also using the two other 
> TEST-NET is useful in case of f2b.
> 
>> Need to define a sets of:
>> * injection IPs that shouldn't be detected
> 
> Which are be listed in ignoreip?

injection IPs are IPs in a form in a log file that have been injected by
a user and shouldn't be detected. i.e. no such user=1.2.3.4

> 
>> * fail IPs
>> * ban IPs
> 
> What is the difference here? I guess 'ban IPs' does just depend 
> on how many counts (think maxretry) of 'fail IPs' have happen 
> during findtime.

yep. Looking at some way to autoparse a log and have a set of fail
tickets and ban tickets and no injection ips.

> 
> So I guess we only need 2 different subnets, or do I miss something?

not sure. haven't looked totally. see above.

> 
> The only other thing I can think of, that the local system IP 
> address is different from the range listed in ignoreip. In some 
> log files also the local IP address is present.

good. keep thinking.

>> with the aim that once this convention is made we can run automated
>> tests over all the filters.
>>
>> If you've got time to make a pull request on this I'd be really grateful.
> 
> Do I understand this right, there are 2 things to do? First 
> define the purpose of the different IP address ranges and 
> document it. And second to modify the files in the testcases sub 
> folder accordingly?

yes.
> 
> I think this is something I should be able to do, I will put it 
> on to my ToDo list. So finally it is time that I should start 
> learning to use git a little more then just searching / 
> downloading stuff from github. :-)

great.