Multiple Entries for the same log.

[bigstusexy]

Hello,

I've started with IPBan and I have it going (not sure it's pulling the global list correctly but that's fine, don't feel like checking too much either)

My question is that for two reasons I want to create a different set of matches that block differently. I believe the global fail rate is 5, I want these to work immediately. So my thought was to create a second app, reading the same logs, with only these new match rules but override the fail rate to one. Is this acceptable?

The reasons are that I'm using mailenable, and I started banning address on my own. I could just unban them all and let IPBan just handle it, or I could do this with new rules that say ban everything that comes up with that entry.

The second is that I see entries that are http GET requests. I believe these are just tests, either by third party scanners or automated. Either way, there is no reason to send an HTTP request to the SMTP port.

I'll have to go back and look at the information too but I would also want to change the ban length too. Most of these entries will have a good amount of time between retires.

[jjxtra]

Running two instances of ipban is not supported. What do you want two different block rates for the same log file? You could use junctions to map the log file to a different folder if you really need it, but I'm unsure of the reason for two different thresholds.

[bigstusexy]

Oh, I don't mean running it twice!

I thought that you can only specify the fail rate is per app in the config file, so make a second app entry, in the config file, reading the same logs but with a different match pattern and overridden fail rate.

The reason for it is that I'd like to have IPBan take over for IPs I've already blocked but not let them see any success, and that some attacks I think are "are you there" type scans. They will be low rate but maybe not single connections. If I can start blocking those as well, I think it will keep latter attacks from happening.