I'm using fail2ban
on my debian-8-based host. I have several separate jails for detecting attacks on my SMTP server, and I would like to combine them into one single jail. Each of these jails utilizes a filter with a single failregex
line, and this is working for me to detect these attacks. However, when I try to combine these into a single jail and a single filter with multiple failregex
lines, the attacks are no longer being detected.
Here is a summary the multiple-jail-mulitple-filter setup which is currently working:
## from the 'postfixauth.conf' filter for the 'postfixauth' jail ...
failregex = ^.*lost connection after AUTH from unknown\[<HOST>\].*$
## from the 'postfixconcur.conf' filter for the 'postfixconcur' jail ...
failregex = ^.*concurrency limit exceeded:.*from unknown\[<HOST>\].*$
## from the 'postfixconnect.conf' filter for the 'postfixconnect' jail ...
failregex = ^.*(timeout|lost connection) after (RSET|AUTH|CONNECT|EHLO|STARTTLS) from unknown\[<HOST>\].*$
## from the 'postfixresolve.conf' filter for the 'postfixresolve' jail ...
failregex = ^.*hostname \S+ does not resolve to address +<HOST>.*$
## from the 'postfixsasl.conf' filter for the 'postfixsasl' jail ...
failregex = ^.*unknown\[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed.*$
## from the 'postfixssl.conf' filter for the 'postfixssl' jail ...
failregex = ^.*SSL_accept error from unknown\[<HOST>\].*$
However, if I replace those six separate jails with a single jail with the following failregex
in its filter file, it doesn't seem to be blocking those attacks:
## from the 'postfix.conf' filter for the 'postfix' jail ...
failregex = ^.*lost connection after AUTH from unknown\[<HOST>\].*$
^.*concurrency limit exceeded:.*from unknown\[<HOST>\].*$
^.*(timeout|lost connection) after (RSET|AUTH|CONNECT|EHLO|STARTTLS) from unknown\[<HOST>\].*$
^.*hostname \S+ does not resolve to address +<HOST>.*$
^.*unknown\[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed.*$
^.*SSL_accept error from unknown\[<HOST>\].*$
My understanding (which might be mistaken) is that multiple failregex
lines are legal, and that they are OR'ed together; i.e., if any given line in the log file matches one or more of these regexes, then the line is considered to match and to signal a "fail".
Assuming that my understanding is correct, can anyone see what is wrong with the way in which I'm doing this?
Thank you in advance.
It turns out that the problem I was having was unrelated to the change of multiple filters into a single filter with multiple
failregex
lines. I had an unrelated problem on my machine which occurred around the same time which I originally overlooked, and I mistakenly thought that thefail2ban
filter was faulty.After fixing the unrelated problem and restarting everything, the multi-line regex that I show above is indeed working.
UPDATE: To give more detail, the problem had nothing to do with
fail2ban
. Around the same time that I made the change to a multiline regex, I accidentally ran/etc/init.d/iptables off
instead of/etc/init.d/iptables stop
. This causediptables
not to start up after reboot, and all myfail2ban
rules had no effect. Once I realized this error and started upiptables
properly, the multi-line regex worked fine.