Dominic: If you want your failregex to match the same text except for two possible daemons, then you can do this in your filter:
[Definition] _daemon = (relay-short|relay-long) or, since you probably don't need/want to capture the result ... _daemon = (?:relay-short|relay-long) and then __prefix_line will match either daemon. I saw this in some of the example filter .conf files and have used it several times. Michael > -----Original Message----- > From: Dominic Raferd [mailto:domi...@timedicer.co.uk] > Sent: Friday, December 16, 2016 6:31 AM > To: fail2ban-users@lists.sourceforge.net > Subject: Re: [Fail2ban-users] Two jails using one filter > > Thanks Nick. I think in your case the filter matches exactly the same > text for both jails, and the difference comes in 'maxretry' and > 'findtime', which are defined at jail level. There might be some > occasions when both jails trigger a ban at the same time; I'm not sure > how fail2ban works out how to prioritise these but since the bantime > is the same it presumably doesn't matter. > > My case is slightly different. I want to match on different log > messages, but the only difference is in the tag: > > 2016-12-15 11:06:04 vps344433 relay-short: bannable A91AB3EC5F > msbadger0209.apple.com 17.254.6.117 > 2016-12-15 11:06:14 vps344433 relay-long: bannable AE4013E92D > decla.mycashtube.com 146.0.229.84 > > The first line is to be matched by the filter running under the > 'relay-short' jail (-> shorter ban time) and the second line is to be > matched by the same filter running under the 'relay-long' jail (-> > longer bantime). I can do it with two different filters but I can't > see how to do it with one filter. > > > On 16 December 2016 at 14:10, Nick Howitt <n...@howitts.co.uk> wrote: > > Extract from jail.local: > > > > [postfix-disc] > > enabled = true > > logpath = %(syslog_mail)s > > maxretry = 5 > > bantime = 108000 > > findtime = 3600 > > port = smtp,465,submission > > > > [postfix-discsl] > > # as postfix-disc but to pick up people chipping away slowly > > enabled = true > > logpath = %(syslog_mail)s > > filter = postfix-disc > > maxretry = 10 > > bantime = 108000 > > findtime = 86400 > > port = smtp,465,submission > > > > > > /etc/fail2ban/filter.d/postfix-disc.conf: > > > > # Fail2Ban filter for postfix lost connections > > # > > [INCLUDES] > > before = common.conf > > > > [Definition] > > _daemon = postfix/smtpd > > failregex = ^%(__prefix_line)slost connection after > > (AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$ > > ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$ > > ignoreregex = > > > > I've no idea about what you are proposing, but the above works. > > > > Nick > > > > > > On 16/12/2016 12:11, Dominic Raferd wrote: > >> > >> Thanks Nick, I had tried that but the result was that both jails > >> triggered on an event where the tag only matched one of them. > >> > >> I had removed the _daemon variable definition from the filter and, like > >> you said, specified the same filter explicitly for each jail. But the > >> __prefix_line variable (used for failregex) is non-jail-specific > (builds > >> from the default __daemon is \S*), this is why (I think) it triggered > >> both jails even though the tag only matched the jail name of one of > >> them. Can I use a variable definition in the filter: > >> _daemon=%(_jailname)s (or something like that, this syntax is a bit > >> beyond me)? > >> > >> Dominic > >> > >> On 16/12/2016 11:42, Nick Howitt wrote: > >>> > >>> You can do it already (I do), just by specifying the filter in the > jail. > >>> If you don't specify the filter then the filter name must match the > jail > >>> name, but there is no problem specifying the filter. > >>> > >>> Nick > >>> > >>> On 2016-12-16 11:01, Dominic Raferd wrote: > >>>> > >>>> In a filter's failregex, can we have a variable equal to or > containing > >>>> the name of the jail using it? So that two jails can use the same > >>>> filter and the failregex will match different messages depending on > >>>> the jail? > >>>> > >>>> Use case: > >>>> > >>>> I'm using fail2ban v0.9.3. I have created two jails 'relay-long' and > >>>> 'relay-short', and they are both monitoring the same log file > (syslog) > >>>> and waiting for messages containing tag 'relay-long' or 'relay-short' > >>>> and then some other text (which is the same for both jails). As the > >>>> names suggest, one imposes a shorter bantime and the other a longer. > >>>> > >>>> I have this working with each jail having its own filter. Each filter > >>>> has an identical failregex which contains variable __prefix_line. The > >>>> only difference between the filters is variable _daemon which is > >>>> hard-coded to the name of the jail that uses the filter. (The default > >>>> definition of __prefix_line, which I haven't changed, contains > >>>> _daemon.) > >>>> > >>>> It seems like I am using two filters where it would be more elegant > to > >>>> use one, but I can't find how to achieve this. Any help gratefully > >>>> received. > >>>> > >>>> Dominic > >>>> > >>>> > >>>> --------------------------------------------------------------------- > --------- > >>>> Check out the vibrant tech community on one of the world's most > >>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot > >>>> _______________________________________________ > >>>> Fail2ban-users mailing list > >>>> Fail2ban-users@lists.sourceforge.net > >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >>> > >>> > >>> ---------------------------------------------------------------------- > -------- > >>> Check out the vibrant tech community on one of the world's most > >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> Fail2ban-users mailing list > >>> Fail2ban-users@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > >> > >> > >> > >> ----------------------------------------------------------------------- > ------- > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> Fail2ban-users mailing list > >> Fail2ban-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > -------------------------------------------------------------------------- > ---- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
