Re: [Fail2ban-users] f2b match working, test find lots of matches, but real exec adds only one ip to ipset?

jasonsu Mon, 11 Apr 2016 12:04:24 -0700


On Mon, Apr 11, 2016, at 11:52 AM, Bill Shirley wrote:
> Post your filter.


cat filter.d/my-ipset.conf
        [INCLUDES]
        before = common.conf

        [Definition]
        _daemon = postfix/postscreen
        failregex = ^%(__prefix_line)sHANGUP after .* from \[<HOST>\]:.* in 
tests before SMTP handshake$

Which matches on all of

        ...
        Apr 11 00:09:55 mail01 postfix/postscreen[23125]: HANGUP after 0.17 
from [104.243.24.188]:60475 in tests after SMTP handshake
        Apr 11 00:09:55 mail01 postfix/postscreen[23125]: HANGUP after 0.16 
from [104.243.24.188]:60530 in tests after SMTP handshake
        Apr 11 00:09:55 mail01 postfix/postscreen[23125]: HANGUP after 0.16 
from [104.243.24.188]:60574 in tests after SMTP handshake
        Apr 11 00:09:56 mail01 postfix/postscreen[23125]: HANGUP after 0.16 
from [104.243.24.188]:60610 in tests after SMTP handshake
        Apr 11 00:09:56 mail01 postfix/postscreen[23125]: HANGUP after 0.16 
from [104.243.24.188]:60667 in tests after SMTP handshake
        Apr 11 00:09:56 mail01 postfix/postscreen[23125]: HANGUP after 0.15 
from [104.243.24.188]:60718 in tests after SMTP handshake
        Apr 11 00:09:57 mail01 postfix/postscreen[23125]: HANGUP after 0.17 
from [104.243.24.188]:60779 in tests after SMTP handshake
        Apr 11 00:09:57 mail01 postfix/postscreen[23125]: HANGUP after 0.16 
from [104.243.24.188]:60845 in tests after SMTP handshake
        Apr 11 00:09:57 mail01 postfix/postscreen[23125]: HANGUP after 0.16 
from [104.243.24.188]:60881 in tests after SMTP handshake
        Apr 11 00:26:18 mail01 postfix/postscreen[23167]: HANGUP after 5.2 from 
[88.199.175.11]:57784 in tests before SMTP handshake
        Apr 11 00:50:04 mail01 postfix/postscreen[24252]: HANGUP after 5.2 from 
[88.199.175.11]:59763 in tests before SMTP handshake
        Apr 11 01:13:58 mail01 postfix/postscreen[25434]: HANGUP after 5.2 from 
[88.199.175.11]:61856 in tests before SMTP handshake
        Apr 11 01:37:05 mail01 postfix/postscreen[26521]: HANGUP after 0.57 
from [185.130.224.4]:49490 in tests after SMTP handshake
        Apr 11 01:37:52 mail01 postfix/postscreen[26521]: HANGUP after 5.2 from 
[88.199.175.11]:63959 in tests before SMTP handshake
        Apr 11 01:56:47 mail01 postfix/postscreen[26558]: HANGUP after 0.09 
from [69.50.192.99]:36160 in tests after SMTP handshake
        Apr 11 02:01:42 mail01 postfix/postscreen[27711]: HANGUP after 5.2 from 
[88.199.175.11]:49678 in tests before SMTP handshake
        Apr 11 02:25:34 mail01 postfix/postscreen[27788]: HANGUP after 5.2 from 
[88.199.175.11]:51776 in tests before SMTP handshake
        Apr 11 02:49:26 mail01 postfix/postscreen[28893]: HANGUP after 5.2 from 
[88.199.175.11]:53864 in tests before SMTP handshake
        Apr 11 03:13:12 mail01 postfix/postscreen[30050]: HANGUP after 5.2 from 
[88.199.175.11]:55957 in tests before SMTP handshake
        Apr 11 03:14:23 mail01 postfix/postscreen[30050]: HANGUP after 0.8 from 
[188.15.175.167]:50111 in tests after SMTP handshake
        Apr 11 03:37:12 mail01 postfix/postscreen[31143]: HANGUP after 5.2 from 
[88.199.175.11]:58057 in tests before SMTP handshake
        Apr 11 03:46:55 mail01 postfix/postscreen[31167]: HANGUP after 3 from 
[182.64.66.171]:45059 in tests after SMTP handshake
        Apr 11 04:01:05 mail01 postfix/postscreen[7788]: HANGUP after 5.2 from 
[88.199.175.11]:60149 in tests before SMTP handshake
        Apr 11 04:25:03 mail01 postfix/postscreen[8830]: HANGUP after 5.2 from 
[88.199.175.11]:60308 in tests before SMTP handshake
        Apr 11 04:49:11 mail01 postfix/postscreen[9926]: HANGUP after 0.02 from 
[88.199.175.11]:59166 in tests after SMTP handshake
        Apr 11 05:13:15 mail01 postfix/postscreen[11112]: HANGUP after 5.2 from 
[88.199.175.11]:56939 in tests before SMTP handshake
        Apr 11 05:37:22 mail01 postfix/postscreen[12204]: HANGUP after 5.2 from 
[88.199.175.11]:55814 in tests before SMTP handshake
        Apr 11 06:01:24 mail01 postfix/postscreen[14978]: HANGUP after 5.2 from 
[88.199.175.11]:53859 in tests before SMTP handshake
        Apr 11 06:44:31 mail01 postfix/postscreen[17357]: HANGUP after 0.25 
from [70.209.75.237]:12906 in tests after SMTP handshake
        Apr 11 08:33:38 mail01 postfix/postscreen[22400]: HANGUP after 0.47 
from [118.160.210.194]:2030 in tests after SMTP handshake
        ...

for example.  But just doesn't ADD them to the ipset.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] f2b match working, test find lots of matches, but real exec adds only one ip to ipset?

Reply via email to