On 16/06/2024 09:33, Nick Howitt via Fail2ban-users wrote:
On 16/06/2024 08:23, Nick Howitt via Fail2ban-users wrote:
On 01/06/2024 09:29, Nick Howitt wrote:
On 01/06/2024 00:59, Alex wrote:
Hi,
> Ideally, I'd like to not have to modify that regexp and be
able to
> add my own, much like what appears to be happening
with mdre-errors.
You don't have to. Append your own rules in a new line and test
your
changed rule file with
fail2ban-regex /log/file postfix
and it should reply with text output like
Yes, I understand that - I suppose it's the actual details of doing
that which I don't understand.
What's the difference between the pr and re rules? For example:
mdpr-errors = too many errors after \S+
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$
I'm assuming the re version is the regexp necessary just to capture
the IP?
So to add a new rule, I would simply copy this format with a new
name, like:
mdpr-proto = Protocol error;
mdre-proto = ^from [^[]*\[<HOST>\]%(_port)s$
(One thing i never fixed was this: After editing my filter file,
previously working regexes started failing, e. g. they didn't match
any more - despite being unmodified.)
Did you change the mode to no longer include those other regexes?
mode = errors
Or specific in the jail.conf?
[postfix]
filter = postfix[mode=aggressive]
maxretry = 1
bantime = 48h
enabled = true
Thanks,
Alex
I find the postfix filters really hard to follow, but as far as I
can see, if you go down your route, you then need to activate your
protocol filters by building them into something like
mdpr-extra/mdre-extra or have another jail just calling "mode=proto".
Now, mdre-proto is already part of mdre-normal which seems to be
called by every filter so could be unnecessary. You could add a new
line to mdpr-normal if you wanted and your filter would work with
"mode = more", or you could adjust the mdpr-normal directly. Note
that to do an override, you generally leave the
filter.d/postfix.conf alone and create a filter.d/postfix.local. In
it you could put:
[Definition]
mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too
many errors) after \S+)
Protocol error;
Nick
What are the log lines you are trying to match?Never mind. I've seen
your followup.
BTW, I can't crack it for the moment.
OK so this isn't going to be quite so neat. You need to add a line:
^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1 Protocol error;
to the mdre-normal section. Generally the recommended way is to create a
postfix.local file, but this would need to contain:
[Definition]
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+
(?:Service unavailable\b|Client host rejected: cannot find your
(reverse )?hostname\b)
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+
(<[^>]*>)?: Helo command rejected: Host not found\b
^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+
(<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+
(<[^>]*>)?: Sender address rejected: Domain not found\b
^from [^[]*\[<HOST>\]%(_port)s:?
^RCPT from [^[]*\[<HOST>\]%(_port)s:? 550 5\.5\.1
Protocol error;
So you need to duplicate everything there then add your extra line.
Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
