Hello Marat,
On Thu, 17 May 2018, Marat Khalili wrote:
16.05.2018 21:09, Jody Whitesides wrote:
Actually there would be a few other attempts in between line 2 and 6
there. Thus, I’d like to create a filter that can figure out the hex thing
before the 'mta event' as that is what ties the first part’s attempt to
the fact that its failing. Then I’d like to ban that host, both the IPv4
and IPv6 ones that are doing what ever it is they’re attempting to do.
You can use multiline regular expressions for the hex part. Here's one
example of how it is done (__machine, __pid1 and __pid2 all match among the
lines):
https://github.com/qm2k/burp_integration/blob/master/etc/fail2ban/filter.d/burp-auth.conf
Very interesting!
I did not know that Fail2ban could do that. This may indeed be the answer
for Jody. This does beg these questions, though:
* one for you: After Fail2ban has successfully matched the regex from line
#1 to line #6, will it resume log parsing at line #6 (next byte) or #7
(next line), or will it resume log parsing at line #2? For this solution
to work, it must be the latter.
* one for Jody: Is there a known max number of lines you can set, to be
matched by the multi-line regex? If not, you'll have to figure a
compromise: too high and the performance will be degraded; too low and you
will miss occurrences.
I'd also check your IPv6 connectivity (including ICMPv6) to the client, these
timeouts are more likely caused by MTU problems than malicious intent.
I wouldn't know, but if you're right, this is indeed the _first_ thing to
check! :-)
Regards,
Yves.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
