From: Nick H. <ni...@ho...> - 2024-06-16 07:23:41
|
On 01/06/2024 09:29, Nick Howitt wrote: > > On 01/06/2024 00:59, Alex wrote: >> >> Hi, >> >> > Ideally, I'd like to not have to modify that regexp and be able to >> > add my own, much like what appears to be happening >> with mdre-errors. >> >> You don't have to. Append your own rules in a new line and test your >> changed rule file with >> >> fail2ban-regex /log/file postfix >> >> and it should reply with text output like >> >> >> Yes, I understand that - I suppose it's the actual details of doing >> that which I don't understand. >> >> What's the difference between the pr and re rules? For example: >> >> mdpr-errors = too many errors after \S+ >> mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ >> >> I'm assuming the re version is the regexp necessary just to capture >> the IP? >> >> So to add a new rule, I would simply copy this format with a new >> name, like: >> >> mdpr-proto = Protocol error; >> mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ >> >> (One thing i never fixed was this: After editing my filter file, >> previously working regexes started failing, e. g. they didn't match >> any more - despite being unmodified.) >> >> >> Did you change the mode to no longer include those other regexes? >> mode = errors >> >> Or specific in the jail.conf? >> >> [postfix] >> filter = postfix[mode=aggressive] >> maxretry = 1 >> bantime = 48h >> enabled = true >> >> Thanks, >> Alex >> > I find the postfix filters really hard to follow, but as far as I can > see, if you go down your route, you then need to activate your > protocol filters by building them into something like > mdpr-extra/mdre-extra or have another jail just calling "mode=proto". > > Now, mdre-proto is already part of mdre-normal which seems to be > called by every filter so could be unnecessary. You could add a new > line to mdpr-normal if you wanted and your filter would work with > "mode = more", or you could adjust the mdpr-normal directly. Note that > to do an override, you generally leave the filter.d/postfix.conf alone > and create a filter.d/postfix.local. In it you could put: > > [Definition] > mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many > errors) after \S+) > Protocol error; > > Nick What are the log lines you are trying to match? |