Re: [Fail2ban-users] Any way to increase ban probability for previously banned IPs?

Thu, 01 Jun 2017 23:52:14 -0700 

Thanks all. For those who care, this is a sample of what I ended up with.
I'd be very interested to know if I can define filter attributes in the jail definition. ie. define '|_parent_jailname|' in the jail; then I would only need one filter definition in total. 

----- Filter: recidive-postfix-sasl.conf ------

|[INCLUDES]||
||
||# Read common prefixes. If any customizations available -- read them from||
||# common.local||
||before = common.conf||
||
||[Definition]||
||
||_daemon = fail2ban\.actions\s*||
||
||# The name of the jail that this filter is used for. In jail.conf, name the||
||# jail using this filter 'recidive', or change this line!||
||_jailname_prefix = recidive||
||_parent_jailname = postfix-sasl||
||
||failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(%(_parent_jailname)s)(?:.*)\]\s+Ban\s+<HOST>\s*$|| ||ignoreregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[%(_jailname_prefix)s(?:.*)\]\s+Ban\s+<HOST>\s*$|| 
||
||
||[Init]||
||
||journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5||
|

-------- Jail: recidive-postfix-sasl --------------

|[recidive-postfix-sasl]|||
|||enabled  = true|||
|||logpath  = /var/log/fail2ban.log|||
|||port     = smtp,465,submission,imap3,imaps,pop3,pop3s|||
|||bantime  = 604800  ; 1 week|||
|||findtime = 86400   ; 1 day|||
|||maxretry = 4|||
||||
||


On 2/06/2017 3:23 PM, Mark Costlow wrote:

I was thinking about to deal with the issue you rose in your first
message, then saw this one.  Yup, I think that would work fine.  :-)

Mark

On Fri, Jun 02, 2017 at 02:27:26PM +1000, Philip Warner wrote:

Or did I miss the point, and should I clone and create multiple recidive-like
jails, one for each service I monitor?


On 2/06/2017 2:13 PM, Philip Warner wrote:

The only problem I have with recidiv is that it blocks all ports from a given
IP; I would much prefer to block only the attacked ports. This is especially
important when the attacks are coming from behind a large ISPs NAT firewall.





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to