Re: [Fail2ban-users] Adding pattern to postfix filter

Sat, 01 Jun 2024 01:35:25 -0700 


On 01/06/2024 00:59, Alex wrote:


Hi,

    > Ideally, I'd like to not have to modify that regexp and be able to
    > add my own, much like what appears to be happening with mdre-errors.

    You don't have to. Append your own rules in a new line and test your
    changed rule file with

            fail2ban-regex /log/file postfix

    and it should reply with text output like



Yes, I understand that - I suppose it's the actual details of doing 
that which I don't understand.


What's the difference between the pr and re rules? For example:

mdpr-errors = too many errors after \S+
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$


I'm assuming the re version is the regexp necessary just to capture 
the IP?



So to add a new rule, I would simply copy this format with a new name, 
like:


mdpr-proto = Protocol error;
mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$

    (One thing i never fixed was this: After editing my filter file,
    previously working regexes started failing, e. g. they didn't match
    any more - despite being unmodified.)


Did you change the mode to no longer include those other regexes?
mode = errors

Or specific in the jail.conf?

[postfix]
filter = postfix[mode=aggressive]
maxretry = 1
bantime = 48h
enabled = true

Thanks,
Alex


I find the postfix filters really hard to follow, but as far as I can 
see, if you go down your route, you then need to activate your protocol 
filters by building them into something like mdpr-extra/mdre-extra or 
have another jail just calling "mode=proto".



Now, mdre-proto is already part of mdre-normal which seems to be called 
by every filter so could be unnecessary. You could add a new line to 
mdpr-normal if you wanted and your filter would work with "mode = more", 
or you could adjust the mdpr-normal directly. Note that to do an 
override, you generally leave the filter.d/postfix.conf alone and create 
a filter.d/postfix.local. In it you could put:


[Definition]

mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many 
errors) after \S+)

              Protocol error;

Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to