Re: [Fail2ban-users] Error running non-shared postrotate script for /var/log/fail2ban.log of '/var/log/fail2ban.log '

Fri, 25 Nov 2016 06:31:36 -0800 


On 25-11-16 14:05, [email protected] wrote:
> Il 2016-11-24 21:47 Tom Hendrikx ha scritto:
>>
>> You made a typo in the config file, which made fail2ban fail on an
>> earlier restart. The logrotate just tripped over the fact that f2b
>> wasn't running some days later.
>>
>> Please show us your jail and filter config for the postfix-disc jail,
>> but my first guess would be that you setup the jail using
>>
>> logfile=%(syslog_mail)s
>>
>> but the variable 'syslog_mail' is not defined anywhere.
>>
>> Kind regards,
>>      Tom
> 
> Well Tom!
> I've changed on "/etc/fail2ban/jail.conf"
> 
> from
> logfile=%(syslog_mail)s
> 
> to
> logpath  = /var/log/mail.log
> 
> then I've added the filter for postfix-disc:
> 
> [postfix-disc]
> 
> filter = postfix-disc
> 
> 
> now, on /etc/fail2ban/filter.d/postfix-disc.conf remain some errors:
> 
> nov 25 12:47:10 server fail2ban[32404]: ERROR  Failed during 
> configuration: File contains parsing errors: 
> /etc/fail2ban/filter.d/postfix-disc.conf
> nov 25 12:47:10 server fail2ban[32404]: [line 12]: 
> '(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\\..*\\[<HOST>\\]$\n'
> nov 25 12:47:10 server fail2ban[32404]: [line 13]: 
> '^%(__prefix_line)sdisconnect from unknown\\[<HOST>\\]$\n'
> nov 25 12:47:10 server fail2ban[32404]: failed!
> 
> 
> This is my postfix-disc.conf:
> 
> 
> # Fail2Ban filter for postfix lost connections
> #
> [INCLUDES]
> 
> before = common.conf
> 
> [Definition]
> 
> _daemon = postfix/smtpd
> 
> failregex = ^%(__prefix_line)slost connection after
> (AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$
> ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$

This part is messed up. It should probably be something like:

failregex = ^%(__prefix_line)slost connection after
(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$
            ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$

Note: these are two lines, not three (watch for wrapping lines)! First
line contains the complete regex for 'lost connection after AUTH ...
[<HOST>}$', the next line is indented, and contains the regex for
'disconnect from unknown...'.

IMHO the second regex should not be monitored by f2b, but that's your call.

Kind regards,
        Tom

> 
> ignoreregex =
> 
> # Author: Nick Howitt
> 
> 
> many many thanks for your help! :-)
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to