Hello Marat,

On Thu, 17 May 2018, Marat Khalili wrote:
16.05.2018 21:09, Jody Whitesides wrote:
 Actually there would be a few other attempts in between line 2 and 6
 there. Thus, I’d like to create a filter that can figure out the hex thing
 before the 'mta event' as that is what ties the first part’s attempt to
 the fact that its failing. Then I’d like to ban that host, both the IPv4
 and IPv6 ones that are doing what ever it is they’re attempting to do.

You can use multiline regular expressions for the hex part. Here's one example of how it is done (__machine, __pid1 and __pid2 all match among the lines): https://github.com/qm2k/burp_integration/blob/master/etc/fail2ban/filter.d/burp-auth.conf
Very interesting!
I did not know that Fail2ban could do that. This may indeed be the answer for Jody. This does beg these questions, though:

* one for you: After Fail2ban has successfully matched the regex from line #1 to line #6, will it resume log parsing at line #6 (next byte) or #7 (next line), or will it resume log parsing at line #2? For this solution to work, it must be the latter.

* one for Jody: Is there a known max number of lines you can set, to be matched by the multi-line regex? If not, you'll have to figure a compromise: too high and the performance will be degraded; too low and you will miss occurrences.

I'd also check your IPv6 connectivity (including ICMPv6) to the client, these timeouts are more likely caused by MTU problems than malicious intent.
I wouldn't know, but if you're right, this is indeed the _first_ thing to check! :-)

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Fail2ban-users mailing list

Reply via email to