fail2ban/config/filter.d/named-refused.conf

35 lines
1.1 KiB
Plaintext
Raw Normal View History

2007-08-14 23:15:50 +00:00
# Fail2Ban configuration file for named (bind9). Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko
#
# $Revision: 608 $
#
[Definition]
# if you want to catch only login erros from specific daemons, use smth like
#_named_rcodes=(?:REFUSED|SERVFAIL)
# To catch all REFUSED queries only
_named_rcodes=REFUSED
_daemon=named
#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
%(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$