From: Richard S. <hob...@gm...> - 2020-09-02 01:04:28
|
On Tue, Sep 1, 2020 at 7:45 PM Phillip Carroll < dom...@en...> wrote: > I have been using csf/lfd as my firewall for several years on several > versions of CentOS, currently CentOS7. I am using several ipset-managed > blocklists supported directly by csf. Some of these are fairly huge > (such as whole country blocks), and it changes them in fractions of a > second. Very happy with everything it does. > > However, csf syntax for custom regex applied to logs is relatively > clumsy and error-prone so I have installed fail2ban in hopes of using > that for custom log-based bans. > > For my initial testing I have set up one jail and a corresponding > filters. (I found that all very simple.) > > My intent: > On filter matches, immediately ban the host IP for one full day. Use > ipset to implement the bans. > > The test case basically watches my exim reject.log (using inotify) and > unerringly finds the naughty hosts I want to ban. > > My setup: > jail.local has: > > > [exim-reject] > > mode = normal > > port = smtp,ssmtp > > logpath = /var/log/exim/reject.log > > filter = exim-reject > > maxmatches = 1 > > maxretry = 1 > > backend = auto > > bantime = 1d > > banaction = iptables-ipset-proto6 > > enabled = true > > And exim-reject.conf contains: > > > [INCLUDES] > > before = exim-common.conf > > [Definition] > > failregex = <HOST> is listed at zen.spamhaus.org > > \[<HOST>\]:25 dropped: too many syntax or protocol errors > > The contents of fail2ban.log indicates everything is working. It says it > found the lines I expected it to find, and has issued bans (and unbans a > day later). > > However, when I list the ipset sets on the console, the only sets listed > are those managed by csf. Clearly I have implemented something > incorrectly. I am hoping somebody on the list can set me straight. Is it > possibly a permissions problem? > That quite a bit more complex installation than I use so can't help you there, but fail2ban version and source (EPEL, self install, etc) would be helpful. Thanks, Richard |