Extract from jail.local:
[postfix-disc]
enabled = true
logpath = %(syslog_mail)s
maxretry = 5
bantime = 108000
findtime = 3600
port = smtp,465,submission
[postfix-discsl]
# as postfix-disc but to pick up people chipping away slowly
enabled = true
logpath = %(syslog_mail)s
filter = postfix-disc
maxretry = 10
bantime = 108000
findtime = 86400
port = smtp,465,submission
/etc/fail2ban/filter.d/postfix-disc.conf:
# Fail2Ban filter for postfix lost connections
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after
(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$
^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$
ignoreregex =
I've no idea about what you are proposing, but the above works.
Nick
On 16/12/2016 12:11, Dominic Raferd wrote:
> Thanks Nick, I had tried that but the result was that both jails
> triggered on an event where the tag only matched one of them.
>
> I had removed the _daemon variable definition from the filter and, like
> you said, specified the same filter explicitly for each jail. But the
> __prefix_line variable (used for failregex) is non-jail-specific (builds
> from the default __daemon is \S*), this is why (I think) it triggered
> both jails even though the tag only matched the jail name of one of
> them. Can I use a variable definition in the filter:
> _daemon=%(_jailname)s (or something like that, this syntax is a bit
> beyond me)?
>
> Dominic
>
> On 16/12/2016 11:42, Nick Howitt wrote:
>> You can do it already (I do), just by specifying the filter in the jail.
>> If you don't specify the filter then the filter name must match the jail
>> name, but there is no problem specifying the filter.
>>
>> Nick
>>
>> On 2016-12-16 11:01, Dominic Raferd wrote:
>>> In a filter's failregex, can we have a variable equal to or containing
>>> the name of the jail using it? So that two jails can use the same
>>> filter and the failregex will match different messages depending on
>>> the jail?
>>>
>>> Use case:
>>>
>>> I'm using fail2ban v0.9.3. I have created two jails 'relay-long' and
>>> 'relay-short', and they are both monitoring the same log file (syslog)
>>> and waiting for messages containing tag 'relay-long' or 'relay-short'
>>> and then some other text (which is the same for both jails). As the
>>> names suggest, one imposes a shorter bantime and the other a longer.
>>>
>>> I have this working with each jail having its own filter. Each filter
>>> has an identical failregex which contains variable __prefix_line. The
>>> only difference between the filters is variable _daemon which is
>>> hard-coded to the name of the jail that uses the filter. (The default
>>> definition of __prefix_line, which I haven't changed, contains
>>> _daemon.)
>>>
>>> It seems like I am using two filters where it would be more elegant to
>>> use one, but I can't find how to achieve this. Any help gratefully
>>> received.
>>>
>>> Dominic
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
