From: Nick H. <ni...@ho...> - 2024-06-16 08:33:24
|
On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote: > > > On 01/06/2024 09:29, Nick Howitt wrote: >> >> On 01/06/2024 00:59, Alex wrote: >>> >>> Hi, >>> >>> > Ideally, I'd like to not have to modify that regexp and be able to >>> > add my own, much like what appears to be happening >>> with mdre-errors. >>> >>> You don't have to. Append your own rules in a new line and test your >>> changed rule file with >>> >>> fail2ban-regex /log/file postfix >>> >>> and it should reply with text output like >>> >>> >>> Yes, I understand that - I suppose it's the actual details of doing >>> that which I don't understand. >>> >>> What's the difference between the pr and re rules? For example: >>> >>> mdpr-errors = too many errors after \S+ >>> mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ >>> >>> I'm assuming the re version is the regexp necessary just to capture >>> the IP? >>> >>> So to add a new rule, I would simply copy this format with a new >>> name, like: >>> >>> mdpr-proto = Protocol error; >>> mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ >>> >>> (One thing i never fixed was this: After editing my filter file, >>> previously working regexes started failing, e. g. they didn't match >>> any more - despite being unmodified.) >>> >>> >>> Did you change the mode to no longer include those other regexes? >>> mode = errors >>> >>> Or specific in the jail.conf? >>> >>> [postfix] >>> filter = postfix[mode=aggressive] >>> maxretry = 1 >>> bantime = 48h >>> enabled = true >>> >>> Thanks, >>> Alex >>> >> I find the postfix filters really hard to follow, but as far as I can >> see, if you go down your route, you then need to activate your >> protocol filters by building them into something like >> mdpr-extra/mdre-extra or have another jail just calling "mode=proto". >> >> Now, mdre-proto is already part of mdre-normal which seems to be >> called by every filter so could be unnecessary. You could add a new >> line to mdpr-normal if you wanted and your filter would work with >> "mode = more", or you could adjust the mdpr-normal directly. Note >> that to do an override, you generally leave the filter.d/postfix.conf >> alone and create a filter.d/postfix.local. In it you could put: >> >> [Definition] >> mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many >> errors) after \S+) >> Protocol error; >> >> Nick > What are the log lines you are trying to match? > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users Never mind. I've seen your followup. BTW, I can't crack it for the moment. |