From: Les L. <lli...@ya...> - 2008-03-05 16:09:52
|
Not sure what changed but fail2ban no longer bans brute force attempts using "Administrator" against proftpd. Any ideas? The log entries are: Mar 05 00:01:55 debian1 proftpd[6781] debian1.acihotspot.local (::ffff:218.67.245.189[::ffff:218.67.245.189]): no such user 'administrator' Mar 05 00:01:55 debian1 proftpd[6781] debian1.acihotspot.local (::ffff:218.67.245.189[::ffff:218.67.245.189]): USER administrator: no such user found from ::ffff:218.67.245.189 [::ffff:218.67.245.189] to ::ffff:192.168.2.20:21 The failregex AFAIK is the original: failregex = \(\S+\[<HOST>\]\): USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$ \(\S+\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect password\.$ \(\S+\[<HOST>\]\): SECURITY VIOLATION: \S+ login attempted\.$ \(\S+\[<HOST>\]\): Maximum login attempts \(\d+\) exceeded$ Thanks, Les Ligetfalvy Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ |
From: Yaroslav H. <li...@on...> - 2008-03-10 16:57:07
|
Thanks Les per our conversation I think we fixed it ;-) Cyril -- find that mod in my git repos trunk up/fixes in a browser it is at http://git.onerussian.com/?p=fail2ban;a=blobdiff;f=config/filter.d/proftpd.conf;h=21c8fc2ed31fbb7e51a8ca61c683235631ccde7d;hp=52a741e8a7c106bac88f07cf08bf5b9b307ca5e3;hb=a88cc41e9a6b316a71293cfbf71d826f398e6288;hpb=49771869039afc27d8f4093b8578abe0132d511a or just look the tree http://git.onerussian.com/?p=fail2ban;a=shortlog;h=up/fixes On Wed, 05 Mar 2008, Les Ligetfalvy wrote: > Not sure what changed but fail2ban no longer bans > brute force attempts using "Administrator" against > proftpd. Any ideas? > The log entries are: > Mar 05 00:01:55 debian1 proftpd[6781] > debian1.acihotspot.local > (::ffff:218.67.245.189[::ffff:218.67.245.189]): no > such user 'administrator' > Mar 05 00:01:55 debian1 proftpd[6781] > debian1.acihotspot.local > (::ffff:218.67.245.189[::ffff:218.67.245.189]): USER > administrator: no such user found from > ::ffff:218.67.245.189 [::ffff:218.67.245.189] to > ::ffff:192.168.2.20:21 > The failregex AFAIK is the original: > failregex = \(\S+\[<HOST>\]\): USER \S+: no such user > found from \S+ \[[0-9.]+\] to \S+:\S+$ > \(\S+\[<HOST>\]\): USER \S+ \(Login > failed\): Incorrect password\.$ > \(\S+\[<HOST>\]\): SECURITY VIOLATION: \S+ > login attempted\.$ > \(\S+\[<HOST>\]\): Maximum login attempts > \(\d+\) exceeded$ > Thanks, > Les Ligetfalvy > Looking for the perfect gift? Give the gift of Flickr! > http://www.flickr.com/gift/ > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |