# Fail2Ban configuration file for named (bind9). Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko
#
# $Revision: 730 $
#

[Definition]

#
# Daemon name
_daemon=named

#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sclient <HOST>#.+: query: (ripe.net|isc.org) IN ANY \+ED*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =