From: René B. <rb...@ca...> - 2011-01-22 23:05:59
|
On 1/22/2011 3:05 PM, dho...@ne... wrote: [snip] > USERDEF_FAILED_ENTRY_REGEX=.*USER (?P<user>.*):.* from ::ffff:(?P<host>.*) > \[.* Try: USERDEF_FAILED_ENTRY_REGEX=USER (?P<user>\S+): no such user .* (?P<host>\[\S+\]) to .* > Log entries look like this: > > Jan 22 21:15:48 www proftpd[20397]: 192.168.x.y > (::ffff:288.22.132.59[::ffff:188.22.132.59]) - USER ab12312b321: no such > user found from ::ffff:288.22.132.59 [::ffff:288.22.132.59] to > ::ffff:192.168.y.y:21 > > The regular expression is matching fine, tested here: > http://www.regular-expressions.info/reference.html Regular expressions and Python regular expressions are not the same. More important, even if it matched how do you know that it doesn't match valid users? (i.e. your expression is too general) and definitely it doesn't match password attacks with existing user's names (they try root, admin, apache, webmaster, oracle, ... many others that have a good probability of being in a system). A note about IPv6 notation, the way you handled it suspect, the tcp_wrappers (7.6-ipv6.2) documentation says you have to include the brackets; I know, you saw a constant prefix and a IPv4 address and "extracted" the IPv4 address, but what if a real IPv6 address comes along? -- René Berber |