Thanks Michael, but then won't both lines in my example log match both jails - so I get 2 matches for each line whereas I want only 1? I don't want __prefix_line to match either daemon, I want it to match text 'relay-long' if and only if it is looking on behalf of jail 'relay-long' and match text 'relay-short' if and only if it is looking on behalf of jail 'relay-short'.
On 16 December 2016 at 15:59, Michael Fox <n...@mefox.org> wrote: > Dominic: > > If you want your failregex to match the same text except for two possible > daemons, then you can do this in your filter: > > [Definition] > > _daemon = (relay-short|relay-long) > > or, since you probably don't need/want to capture the result ... > > _daemon = (?:relay-short|relay-long) > > > and then __prefix_line will match either daemon. I saw this in some of the > example filter .conf files and have used it several times. > > Michael > > >> -----Original Message----- >> From: Dominic Raferd [mailto:domi...@timedicer.co.uk] >> Sent: Friday, December 16, 2016 6:31 AM >> To: fail2ban-users@lists.sourceforge.net >> Subject: Re: [Fail2ban-users] Two jails using one filter >> >> Thanks Nick. I think in your case the filter matches exactly the same >> text for both jails, and the difference comes in 'maxretry' and >> 'findtime', which are defined at jail level. There might be some >> occasions when both jails trigger a ban at the same time; I'm not sure >> how fail2ban works out how to prioritise these but since the bantime >> is the same it presumably doesn't matter. >> >> My case is slightly different. I want to match on different log >> messages, but the only difference is in the tag: >> >> 2016-12-15 11:06:04 vps344433 relay-short: bannable A91AB3EC5F >> msbadger0209.apple.com 17.254.6.117 >> 2016-12-15 11:06:14 vps344433 relay-long: bannable AE4013E92D >> decla.mycashtube.com 146.0.229.84 >> >> The first line is to be matched by the filter running under the >> 'relay-short' jail (-> shorter ban time) and the second line is to be >> matched by the same filter running under the 'relay-long' jail (-> >> longer bantime). I can do it with two different filters but I can't >> see how to do it with one filter. >> >> >> On 16 December 2016 at 14:10, Nick Howitt <n...@howitts.co.uk> wrote: >> > Extract from jail.local: >> > >> > [postfix-disc] >> > enabled = true >> > logpath = %(syslog_mail)s >> > maxretry = 5 >> > bantime = 108000 >> > findtime = 3600 >> > port = smtp,465,submission >> > >> > [postfix-discsl] >> > # as postfix-disc but to pick up people chipping away slowly >> > enabled = true >> > logpath = %(syslog_mail)s >> > filter = postfix-disc >> > maxretry = 10 >> > bantime = 108000 >> > findtime = 86400 >> > port = smtp,465,submission >> > >> > >> > /etc/fail2ban/filter.d/postfix-disc.conf: >> > >> > # Fail2Ban filter for postfix lost connections >> > # >> > [INCLUDES] >> > before = common.conf >> > >> > [Definition] >> > _daemon = postfix/smtpd >> > failregex = ^%(__prefix_line)slost connection after >> > (AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$ >> > ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$ >> > ignoreregex = >> > >> > I've no idea about what you are proposing, but the above works. >> > >> > Nick >> > >> > >> > On 16/12/2016 12:11, Dominic Raferd wrote: >> >> >> >> Thanks Nick, I had tried that but the result was that both jails >> >> triggered on an event where the tag only matched one of them. >> >> >> >> I had removed the _daemon variable definition from the filter and, like >> >> you said, specified the same filter explicitly for each jail. But the >> >> __prefix_line variable (used for failregex) is non-jail-specific >> (builds >> >> from the default __daemon is \S*), this is why (I think) it triggered >> >> both jails even though the tag only matched the jail name of one of >> >> them. Can I use a variable definition in the filter: >> >> _daemon=%(_jailname)s (or something like that, this syntax is a bit >> >> beyond me)? >> >> >> >> Dominic >> >> >> >> On 16/12/2016 11:42, Nick Howitt wrote: >> >>> >> >>> You can do it already (I do), just by specifying the filter in the >> jail. >> >>> If you don't specify the filter then the filter name must match the >> jail >> >>> name, but there is no problem specifying the filter. >> >>> >> >>> Nick >> >>> >> >>> On 2016-12-16 11:01, Dominic Raferd wrote: >> >>>> >> >>>> In a filter's failregex, can we have a variable equal to or >> containing >> >>>> the name of the jail using it? So that two jails can use the same >> >>>> filter and the failregex will match different messages depending on >> >>>> the jail? >> >>>> >> >>>> Use case: >> >>>> >> >>>> I'm using fail2ban v0.9.3. I have created two jails 'relay-long' and >> >>>> 'relay-short', and they are both monitoring the same log file >> (syslog) >> >>>> and waiting for messages containing tag 'relay-long' or 'relay-short' >> >>>> and then some other text (which is the same for both jails). As the >> >>>> names suggest, one imposes a shorter bantime and the other a longer. >> >>>> >> >>>> I have this working with each jail having its own filter. Each filter >> >>>> has an identical failregex which contains variable __prefix_line. The >> >>>> only difference between the filters is variable _daemon which is >> >>>> hard-coded to the name of the jail that uses the filter. (The default >> >>>> definition of __prefix_line, which I haven't changed, contains >> >>>> _daemon.) >> >>>> >> >>>> It seems like I am using two filters where it would be more elegant >> to >> >>>> use one, but I can't find how to achieve this. Any help gratefully >> >>>> received. >> >>>> >> >>>> Dominic >> >>>> >> >>>> >> >>>> --------------------------------------------------------------------- >> --------- >> >>>> Check out the vibrant tech community on one of the world's most >> >>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> >>>> _______________________________________________ >> >>>> Fail2ban-users mailing list >> >>>> Fail2ban-users@lists.sourceforge.net >> >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >>> >> >>> >> >>> ---------------------------------------------------------------------- >> -------- >> >>> Check out the vibrant tech community on one of the world's most >> >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> >>> _______________________________________________ >> >>> Fail2ban-users mailing list >> >>> Fail2ban-users@lists.sourceforge.net >> >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> >> >> >> >> ----------------------------------------------------------------------- >> ------- >> >> Check out the vibrant tech community on one of the world's most >> >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> >> _______________________________________________ >> >> Fail2ban-users mailing list >> >> Fail2ban-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > >> > >> >> -------------------------------------------------------------------------- >> ---- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
