Menu
▾
▴
Re: [Fail2ban-users] Any way to increase ban probability for previously banned IPs?
|
From: Philip W. <pj...@rh...> - 2017-06-02 06:50:23
|
Thanks all. For those who care, this is a sample of what I ended up with. I'd be very interested to know if I can define filter attributes in the jail definition. ie. define '|_parent_jailname|' in the jail; then I would only need one filter definition in total. ----- Filter: recidive-postfix-sasl.conf ------ |[INCLUDES]|| || ||# Read common prefixes. If any customizations available -- read them from|| ||# common.local|| ||before = common.conf|| || ||[Definition]|| || ||_daemon = fail2ban\.actions\s*|| || ||# The name of the jail that this filter is used for. In jail.conf, name the|| ||# jail using this filter 'recidive', or change this line!|| ||_jailname_prefix = recidive|| ||_parent_jailname = postfix-sasl|| || ||failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(%(_parent_jailname)s)(?:.*)\]\s+Ban\s+<HOST>\s*$|| ||ignoreregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[%(_jailname_prefix)s(?:.*)\]\s+Ban\s+<HOST>\s*$|| || || ||[Init]|| || ||journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5|| | -------- Jail: recidive-postfix-sasl -------------- |[recidive-postfix-sasl]||| |||enabled = true||| |||logpath = /var/log/fail2ban.log||| |||port = smtp,465,submission,imap3,imaps,pop3,pop3s||| |||bantime = 604800 ; 1 week||| |||findtime = 86400 ; 1 day||| |||maxretry = 4||| |||| || On 2/06/2017 3:23 PM, Mark Costlow wrote: > I was thinking about to deal with the issue you rose in your first > message, then saw this one. Yup, I think that would work fine. :-) > > Mark > > On Fri, Jun 02, 2017 at 02:27:26PM +1000, Philip Warner wrote: >> Or did I miss the point, and should I clone and create multiple recidive-like >> jails, one for each service I monitor? >> >> >> On 2/06/2017 2:13 PM, Philip Warner wrote: >>> The only problem I have with recidiv is that it blocks all ports from a given >>> IP; I would much prefer to block only the attacked ports. This is especially >>> important when the attacks are coming from behind a large ISPs NAT firewall. >> |