From: Nick H. <ni...@ho...> - 2024-06-16 11:58:54
|
On 16/06/2024 09:33, Nick Howitt via Fail2ban-users wrote: > > On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote: >> >> >> On 01/06/2024 09:29, Nick Howitt wrote: >>> >>> On 01/06/2024 00:59, Alex wrote: >>>> >>>> Hi, >>>> >>>> > Ideally, I'd like to not have to modify that regexp and be >>>> able to >>>> > add my own, much like what appears to be happening >>>> with mdre-errors. >>>> >>>> You don't have to. Append your own rules in a new line and test >>>> your >>>> changed rule file with >>>> >>>> fail2ban-regex /log/file postfix >>>> >>>> and it should reply with text output like >>>> >>>> >>>> Yes, I understand that - I suppose it's the actual details of doing >>>> that which I don't understand. >>>> >>>> What's the difference between the pr and re rules? For example: >>>> >>>> mdpr-errors = too many errors after \S+ >>>> mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ >>>> >>>> I'm assuming the re version is the regexp necessary just to capture >>>> the IP? >>>> >>>> So to add a new rule, I would simply copy this format with a new >>>> name, like: >>>> >>>> mdpr-proto = Protocol error; >>>> mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ >>>> >>>> (One thing i never fixed was this: After editing my filter file, >>>> previously working regexes started failing, e. g. they didn't match >>>> any more - despite being unmodified.) >>>> >>>> >>>> Did you change the mode to no longer include those other regexes? >>>> mode = errors >>>> >>>> Or specific in the jail.conf? >>>> >>>> [postfix] >>>> filter = postfix[mode=aggressive] >>>> maxretry = 1 >>>> bantime = 48h >>>> enabled = true >>>> >>>> Thanks, >>>> Alex >>>> >>> I find the postfix filters really hard to follow, but as far as I >>> can see, if you go down your route, you then need to activate your >>> protocol filters by building them into something like >>> mdpr-extra/mdre-extra or have another jail just calling "mode=proto". >>> >>> Now, mdre-proto is already part of mdre-normal which seems to be >>> called by every filter so could be unnecessary. You could add a new >>> line to mdpr-normal if you wanted and your filter would work with >>> "mode = more", or you could adjust the mdpr-normal directly. Note >>> that to do an override, you generally leave the >>> filter.d/postfix.conf alone and create a filter.d/postfix.local. In >>> it you could put: >>> >>> [Definition] >>> mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too >>> many errors) after \S+) >>> Protocol error; >>> >>> Nick >> What are the log lines you are trying to match?Never mind. I've seen >> your followup. > > BTW, I can't crack it for the moment. OK so this isn't going to be quite so neat. You need to add a line: ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; to the mdre-normal section. Generally the recommended way is to create a postfix.local file, but this would need to contain: [Definition] mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b ^from [^[]*\[<HOST>\]%(_port)s:? ^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error; So you need to duplicate everything there then add your extra line. Nick |