Hi, Finally able to get back to this....
On Sat, Jun 1, 2024 at 4:30 AM Nick Howitt via Fail2ban-users < fail2ban-users@lists.sourceforge.net> wrote: > > On 01/06/2024 00:59, Alex wrote: > > > Hi, > >> > Ideally, I'd like to not have to modify that regexp and be able to >> > add my own, much like what appears to be happening with mdre-errors. >> >> You don't have to. Append your own rules in a new line and test your >> changed rule file with >> >> fail2ban-regex /log/file postfix >> >> and it should reply with text output like >> > > Yes, I understand that - I suppose it's the actual details of doing that > which I don't understand. > > What's the difference between the pr and re rules? For example: > > mdpr-errors = too many errors after \S+ > mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ > > I'm assuming the re version is the regexp necessary just to capture the IP? > > So to add a new rule, I would simply copy this format with a new name, > like: > > mdpr-proto = Protocol error; > mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$ > > (One thing i never fixed was this: After editing my filter file, >> previously working regexes started failing, e. g. they didn't match >> any more - despite being unmodified.) > > > Did you change the mode to no longer include those other regexes? > mode = errors > > Or specific in the jail.conf? > > [postfix] > filter = postfix[mode=aggressive] > maxretry = 1 > bantime = 48h > enabled = true > > Thanks, > Alex > > I find the postfix filters really hard to follow, but as far as I can see, > if you go down your route, you then need to activate your protocol filters > by building them into something like mdpr-extra/mdre-extra or have another > jail just calling "mode=proto". > > Now, mdre-proto is already part of mdre-normal which seems to be called by > every filter so could be unnecessary. You could add a new line to > mdpr-normal if you wanted and your filter would work with "mode = more", or > you could adjust the mdpr-normal directly. Note that to do an override, you > generally leave the filter.d/postfix.conf alone and create a > filter.d/postfix.local. In it you could put: > > [Definition] > mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many > errors) after \S+) > Protocol error; > Adding the above did not work. Before I create a new filter that only processes these events, do you have any other ideas on what I should do? Thanks, Alex
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
