> But Tom’s answer is much better for a blanket whitelist in jail.conf | > jail.local > > https://www.fail2ban.org/wiki/index.php/Whitelist
Yes, I think so, for a whitelist. And certainly easier to configure. I'll try that next. But, the original issue apparently remains. Namely, that ignoreregex seems to be ignored in recidive.local > Something(s) to consider though. The first regex works > > > ignoreregex = 11\.11\.11\.11 > > 22\.22\.22\.22 > > 33\.33\.33\.33 > > so the second should be > > > ignoreregex = \[recidive\]\s+Ban\s+11\.11\.11\.11\s*$ > > \[recidive\]\s+Ban\s+22\.22\.22\.22\s*$ > > \[recidive\]\s+Ban\s+33\.33\.33\.33\s*$ I don't think so. In my case, I wanted it to ignore previous bans from any filter, since more than one filter was triggered by these hosts. BTW, these are trusted hosts that are testing for vulnerabilities. So, they end up triggering a few different jails. > as .* globs are very general (my original perl / regex teachers were not > fans), are on a line by line match it may be trimming so it may be worth > removing the \s* at the end. Actually, I copied that format from the recidive failregex. Anyway, as I said, both ignoreregex syntaxes that I tried worked fine in fail2ban-regex. But both failed to actually work. > if receive is still causing issues then why not move backwards to using > the original jail/ filter that triggered the block as a holistic view if > you have definite ip addresses that are triggering the system then surely > you don’t want to get any kind of ban even a 5 minute one implemented? I did. And, as I said, the ignoreregex's in the original jails work. But by the time I started to ignore, the hosts had already been banned multiple times. So, even though future bans were ignored, recidive triggered on the previous bans anyway (as it should). > if you wanted to go down the regex route the an example from hacking my > own nginx-botsearch.local would be > > failregex = ^<HOST> \- \S+ \[\] \"(OPTIONS|PROPFIND) \S+ \S+\" > (301|4(0|4)(0|4|5)) .+$ > > ignoreregex = ^<ips2ignore> \- \S+ \[\] \"(OPTIONS|PROPFIND) \S+ \S+\" > (301|4(0|4)(0|4|5)) .+$ > > and under [Init] in botsearch-common.local > > ips2ignore = (11\.11\.11\.11|22\.22\.22\.22|33\.33\.33\.33) Interesting. And I'll file that away for potential future use. But for the original problem, I think it's as simple as: if the ignoreregex tests OK in fail2ban-regex, then it should work for real. > Tom’s answer is still the better one Agreed, for a whitelist. And I'll try that next. But it doesn't address the root problem of ignoreregex not working in recidive.local > Sorry for the long answer, just mulling over what you’re trying to achieve > and considering the alternative angles. It's much appreciated. I learned several things! But how do we get to the point where someone looks at the root problem? Thanks, Michael ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
