Hi Dr. Mike and Amir,

Finally I used only this regex, and it worked for me.

*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - USER \S+: no such user found from .*$

Thank you.



On 1.05.2014 17:39, "Dr. Mike Wendell" <theapparatus+fail2ban@gmail.com> wrote:

Greets:

I royally suck at regex and I've really never dug into the scripting
for fail2ban but why not just block on "no such user found from"?
After 5 or 6 of those tries, you would think they should be blocked
anyway....

I'm assuming you are running a proftpd server on your box, right?  If
not, I'd just be blocking on that.

Regards,
-drmike

On Wed, Apr 30, 2014 at 8:08 AM, YUSUF CAKIR <yusuf@anatoliabt.com> wrote:
Hello to All Fail2ban Users ;

I am new on Fail2Ban and also I’m new on Regex.
I want to block brute force attacks to PROFTPD on my Centos server.
I have got secure log file in \var\log\secure.

Now, I need REGEX expression.

I tried this, but nothing happened :
USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

My log file content like this :

Apr 27 11:38:26 server proftpd[28668]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:27 server proftpd[28688]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:28 server proftpd[28696]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:31 server proftpd[28708]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:32 server proftpd[28722]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:34 server proftpd[28730]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:35 server proftpd[28732]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:36 server proftpd[28733]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:38 server proftpd[28734]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:39 server proftpd[28737]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21
Apr 27 11:38:40 server proftpd[28739]: 100.100.100.100
(113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
113.21.228.78 [113.21.228.78] to 100.100.100.100:21



Thank you for your response.
Have a nice day …


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users