Thanks Nick. I think in your case the filter matches exactly the same text for both jails, and the difference comes in 'maxretry' and 'findtime', which are defined at jail level. There might be some occasions when both jails trigger a ban at the same time; I'm not sure how fail2ban works out how to prioritise these but since the bantime is the same it presumably doesn't matter.
My case is slightly different. I want to match on different log messages, but the only difference is in the tag: 2016-12-15 11:06:04 vps344433 relay-short: bannable A91AB3EC5F msbadger0209.apple.com 17.254.6.117 2016-12-15 11:06:14 vps344433 relay-long: bannable AE4013E92D decla.mycashtube.com 146.0.229.84 The first line is to be matched by the filter running under the 'relay-short' jail (-> shorter ban time) and the second line is to be matched by the same filter running under the 'relay-long' jail (-> longer bantime). I can do it with two different filters but I can't see how to do it with one filter. On 16 December 2016 at 14:10, Nick Howitt <n...@howitts.co.uk> wrote: > Extract from jail.local: > > [postfix-disc] > enabled = true > logpath = %(syslog_mail)s > maxretry = 5 > bantime = 108000 > findtime = 3600 > port = smtp,465,submission > > [postfix-discsl] > # as postfix-disc but to pick up people chipping away slowly > enabled = true > logpath = %(syslog_mail)s > filter = postfix-disc > maxretry = 10 > bantime = 108000 > findtime = 86400 > port = smtp,465,submission > > > /etc/fail2ban/filter.d/postfix-disc.conf: > > # Fail2Ban filter for postfix lost connections > # > [INCLUDES] > before = common.conf > > [Definition] > _daemon = postfix/smtpd > failregex = ^%(__prefix_line)slost connection after > (AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$ > ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$ > ignoreregex = > > I've no idea about what you are proposing, but the above works. > > Nick > > > On 16/12/2016 12:11, Dominic Raferd wrote: >> >> Thanks Nick, I had tried that but the result was that both jails >> triggered on an event where the tag only matched one of them. >> >> I had removed the _daemon variable definition from the filter and, like >> you said, specified the same filter explicitly for each jail. But the >> __prefix_line variable (used for failregex) is non-jail-specific (builds >> from the default __daemon is \S*), this is why (I think) it triggered >> both jails even though the tag only matched the jail name of one of >> them. Can I use a variable definition in the filter: >> _daemon=%(_jailname)s (or something like that, this syntax is a bit >> beyond me)? >> >> Dominic >> >> On 16/12/2016 11:42, Nick Howitt wrote: >>> >>> You can do it already (I do), just by specifying the filter in the jail. >>> If you don't specify the filter then the filter name must match the jail >>> name, but there is no problem specifying the filter. >>> >>> Nick >>> >>> On 2016-12-16 11:01, Dominic Raferd wrote: >>>> >>>> In a filter's failregex, can we have a variable equal to or containing >>>> the name of the jail using it? So that two jails can use the same >>>> filter and the failregex will match different messages depending on >>>> the jail? >>>> >>>> Use case: >>>> >>>> I'm using fail2ban v0.9.3. I have created two jails 'relay-long' and >>>> 'relay-short', and they are both monitoring the same log file (syslog) >>>> and waiting for messages containing tag 'relay-long' or 'relay-short' >>>> and then some other text (which is the same for both jails). As the >>>> names suggest, one imposes a shorter bantime and the other a longer. >>>> >>>> I have this working with each jail having its own filter. Each filter >>>> has an identical failregex which contains variable __prefix_line. The >>>> only difference between the filters is variable _daemon which is >>>> hard-coded to the name of the jail that uses the filter. (The default >>>> definition of __prefix_line, which I haven't changed, contains >>>> _daemon.) >>>> >>>> It seems like I am using two filters where it would be more elegant to >>>> use one, but I can't find how to achieve this. Any help gratefully >>>> received. >>>> >>>> Dominic >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Fail2ban-users mailing list >>>> Fail2ban-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fail2ban-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
