One of our clients has a wrong configured device which sends a wrong username. He can not find the device, so fail2ban keeps blocking him. When we add the ip to the whitelist it works, but he gets banned again, when his router sets a new ip address.
So, my idea was to set up a fail2ban filter to ignore his specific username in postfix and doevecot.
How would such a filter look like?
This is not a filter what you need, but rather an ignoreregex in jail configuration (one per jail dovecot or postfix).
Note that how the regex may look is depending on how the log-line (which cause the ban) would look.
If your log-line (which cause ban) looks for example like this:
... auth-worker(123): Info: sql(certain-user@example.de,192.0.2.1,<sessionid>): unknown user
you can add to the jail following config (in your jail.local):
[dovecot]
...
_ignore_users = (?:certain-user|some-user|another-user)@example.de
ignoreregex = sql\(%(_ignore_users)s,[^\)]*\): unknown user$
...
And fail2ban would stop banning such users if ban occurs only by this kind of messages, otherwise you have to write ignoreregex for several message formats.
One of our clients has a wrong configured device which sends a wrong username. He can not find the device...
His system e. g. some of his hosts may be part of some botnet (always trying a bruteforce for some single username), so it is probably not advisable to white-list him.
When we add the ip to the whitelist it works, but he gets banned again, when his router sets a new ip address
If he has some kind of DynDns (or can configure it in his router), you can add its FQDN to ignoreip instead of IP.
