Re: [Fail2ban-users] Adding pattern to postfix filter

Sun, 16 Jun 2024 01:36:46 -0700 


On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote:



On 01/06/2024 09:29, Nick Howitt wrote:


On 01/06/2024 00:59, Alex wrote:


Hi,

    > Ideally, I'd like to not have to modify that regexp and be able to
    > add my own, much like what appears to be happening
    with mdre-errors.

    You don't have to. Append your own rules in a new line and test your
    changed rule file with

            fail2ban-regex /log/file postfix

    and it should reply with text output like



Yes, I understand that - I suppose it's the actual details of doing 
that which I don't understand.


What's the difference between the pr and re rules? For example:

mdpr-errors = too many errors after \S+
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$


I'm assuming the re version is the regexp necessary just to capture 
the IP?



So to add a new rule, I would simply copy this format with a new 
name, like:


mdpr-proto = Protocol error;
mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$

    (One thing i never fixed was this: After editing my filter file,
    previously working regexes started failing, e. g. they didn't match
    any more - despite being unmodified.)


Did you change the mode to no longer include those other regexes?
mode = errors

Or specific in the jail.conf?

[postfix]
filter = postfix[mode=aggressive]
maxretry = 1
bantime = 48h
enabled = true

Thanks,
Alex


I find the postfix filters really hard to follow, but as far as I can 
see, if you go down your route, you then need to activate your 
protocol filters by building them into something like 
mdpr-extra/mdre-extra or have another jail just calling "mode=proto".



Now, mdre-proto is already part of mdre-normal which seems to be 
called by every filter so could be unnecessary. You could add a new 
line to mdpr-normal if you wanted and your filter would work with 
"mode = more", or you could adjust the mdpr-normal directly. Note 
that to do an override, you generally leave the filter.d/postfix.conf 
alone and create a filter.d/postfix.local. In it you could put:


[Definition]

mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many 
errors) after \S+)

              Protocol error;

Nick

What are the log lines you are trying to match?


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Never mind. I've seen your followup.

BTW, I can't crack it for the moment.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to