diff --git a/ChangeLog b/ChangeLog index 633bebbb..b68e7ddc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -66,6 +66,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests and extra failure examples in sample logs * filter.d/apache-auth - added expressions for mod_authz, mod_auth and mod_auth_digest failures. + * filter.d/recidive -- support f2b syslog target and anchor regex at start Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf index bbb48008..5d1ab0dd 100644 --- a/config/filter.d/recidive.conf +++ b/config/filter.d/recidive.conf @@ -15,8 +15,18 @@ # for most jails, and shorewall for this one). # + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] +_daemon = fail2ban.actions + + # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'recidive', or change this line! _jailname = recidive @@ -28,11 +38,11 @@ _jailname = recidive # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+ +failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?:.*)\]\s+Ban\s+ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # # Ignore our own bans, to keep our counts exact. -ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+ +ignoreregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[%(_jailname)s\]\s+Ban\s+ diff --git a/testcases/files/logs/recidive b/testcases/files/logs/recidive index cf6df933..6af85137 100644 --- a/testcases/files/logs/recidive +++ b/testcases/files/logs/recidive @@ -4,3 +4,7 @@ 2006-02-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban 1.2.3.4 # failJSON: { "match": false } 2006-02-13 15:52:30,388 fail2ban.actions: WARNING [recidive] Ban 1.2.3.4 +# syslog example +# failJSON: { "time": "2004-09-16T00:44:55", "match": true , "host": "10.0.0.7" } +Sep 16 00:44:55 spaceman fail2ban.actions: WARNING [jail] Ban 10.0.0.7 +