I have been using csf/lfd as my firewall for several years on several
versions of CentOS, currently CentOS7. I am using several ipset-managed
blocklists supported directly by csf. Some of these are fairly huge
(such as whole country blocks), and it changes them in fractions of a
second. Very happy with everything it does.
However, csf syntax for custom regex applied to logs is relatively
clumsy and error-prone so I have installed fail2ban in hopes of using
that for custom log-based bans.
For my initial testing I have set up one jail and a corresponding
filters. (I found that all very simple.)
My intent:
On filter matches, immediately ban the host IP for one full day. Use
ipset to implement the bans.
The test case basically watches my exim reject.log (using inotify) and
unerringly finds the naughty hosts I want to ban.
My setup:
jail.local has:
[exim-reject]
mode = normal
port = smtp,ssmtp
logpath = /var/log/exim/reject.log
filter = exim-reject
maxmatches = 1
maxretry = 1
backend = auto
bantime = 1d
banaction = iptables-ipset-proto6
enabled = true
And exim-reject.conf contains:
[INCLUDES]
before = exim-common.conf
[Definition]
failregex = <HOST> is listed at zen.spamhaus.org
\[<HOST>\]:25 dropped: too many syntax or protocol errors
The contents of fail2ban.log indicates everything is working. It says it
found the lines I expected it to find, and has issued bans (and unbans a
day later).
However, when I list the ipset sets on the console, the only sets listed
are those managed by csf. Clearly I have implemented something
incorrectly. I am hoping somebody on the list can set me straight. Is it
possibly a permissions problem?
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
