From: Marcus M. <mar...@fr...> - 2008-08-23 09:30:55
|
Hello, just one question: Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 which was trying to connect to the proftpd-Server with a wrong Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the IP´s ? The jail.conf as follow: [proftpd-iptables] enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=mar...@fr...] logpath = /var/log/authproftpd.log maxretry = 6 The authproftpd.log x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - The filter proftpd: # Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 677 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = Please help me. Best regards, Marcus |
From: Christian R. <spo...@gm...> - 2008-08-23 09:47:43
|
hi marcus, what does fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/ /etc/fail2ban/filter.d/proftpd.conf say? maybe you have set your ip to the ignoreip variable.. 2008/8/23 Marcus Müller <mar...@fr...>: > Hello, > > just one question: > > Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 which > was trying to connect to the proftpd-Server with a wrong Password PASS > (hidden). What can i do ? Why doesnt ban fail2ban the IP´s ? > > The jail.conf as follow: > > [proftpd-iptables] > > enabled = true > filter = proftpd > action = iptables[name=ProFTPD, port=ftp, protocol=tcp] > sendmail-whois[name=ProFTPD, > dest=mar...@fr...] > logpath = /var/log/authproftpd.log > maxretry = 6 > > The authproftpd.log > > x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - > x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - > > The filter proftpd: > > # Fail2Ban configuration file > # > # Author: Yaroslav Halchenko > # > # $Revision: 677 $ > # > > [Definition] > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. > The > # host must be matched by a group named "host". The tag > "<HOST>" can > # be used for standard IP/hostname matching and is only an > alias for > # (?:::f{4,6}:)?(?P<host>\S+) > # Values: TEXT > # > failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from > \S+ \[\S+\] to \S+:\S+$ > \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect > password\.$ > \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login > attempted\.$ > \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) > exceeded$ > > # Option: ignoreregex > # Notes.: regex to ignore. If this regex matches, the line is ignored. > # Values: TEXT > # > ignoreregex = > > > > Please help me. > > Best regards, > > Marcus > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Marcus M. <mar...@fr...> - 2008-08-23 12:09:09
|
Hi, fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/ /etc/fail2ban/filter.d/proftpd.conf as follow: Cannot remove regular expression. Index 0 is not valid No 'host' group in '/etc/fail2ban/' Cannot remove regular expression. Index 0 is not valid Cannot add empty regex Results ======= Failregex |- Regular expressions: | [1] /etc/fail2ban/ | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | [1] | `- Number of matches: [1] 0 match(es) Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. Best regards, Marcus -----Ursprüngliche Nachricht----- Von: Christian Ruppert [mailto:spo...@gm...] Gesendet: Samstag, 23. August 2008 11:48 An: mar...@fr... Cc: fai...@li... Betreff: Re: [Fail2ban-users] Filter for proftpd hi marcus, what does fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/ /etc/fail2ban/filter.d/proftpd.conf say? maybe you have set your ip to the ignoreip variable.. 2008/8/23 Marcus Müller <mar...@fr...>: > Hello, > > just one question: > > Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 > which was trying to connect to the proftpd-Server with a wrong > Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the > IP´s ? > > The jail.conf as follow: > > [proftpd-iptables] > > enabled = true > filter = proftpd > action = iptables[name=ProFTPD, port=ftp, protocol=tcp] > sendmail-whois[name=ProFTPD, > dest=mar...@fr...] logpath = /var/log/authproftpd.log > maxretry = 6 > > The authproftpd.log > > x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x > ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - > > The filter proftpd: > > # Fail2Ban configuration file > # > # Author: Yaroslav Halchenko > # > # $Revision: 677 $ > # > > [Definition] > > # Option: failregex > # Notes.: regex to match the password failures messages in the > logfile. The > # host must be matched by a group named "host". The tag > "<HOST>" can > # be used for standard IP/hostname matching and is only an > alias for > # (?:::f{4,6}:)?(?P<host>\S+) > # Values: TEXT > # > failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from > \S+ \[\S+\] to \S+:\S+$ > \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): > Incorrect password\.$ > \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login > attempted\.$ > \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) > exceeded$ > > # Option: ignoreregex > # Notes.: regex to ignore. If this regex matches, the line is > ignored. # Values: TEXT # > ignoreregex = > > > > Please help me. > > Best regards, > > Marcus > > > ---------------------------------------------------------------------- > --- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Christian R. <spo...@gm...> - 2008-08-23 20:38:07
|
oh sorry i mean: "fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf" btw the log should look like: Aug 23 22:28:18 thor proftpd[23787] thor (x.x.x.x[x.x.x.x]): USER anonymous: no such user found from x.x.x.x [x.x.x.x] to x.x.x.x:21 do you use your own logformat in proftpd? 2008/8/23 Marcus Müller <mar...@fr...>: > Hi, > > fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/ > /etc/fail2ban/filter.d/proftpd.conf as follow: > > > Cannot remove regular expression. Index 0 is not valid > No 'host' group in '/etc/fail2ban/' > Cannot remove regular expression. Index 0 is not valid > Cannot add empty regex > > Results > ======= > > Failregex > |- Regular expressions: > | [1] /etc/fail2ban/ > | > `- Number of matches: > [1] 0 match(es) > > Ignoreregex > |- Regular expressions: > | [1] > | > `- Number of matches: > [1] 0 match(es) > > Summary > ======= > > Sorry, no match > > Look at the above section 'Running tests' which could contain important > information. > > Best regards, > > Marcus > > > -----Ursprüngliche Nachricht----- > Von: Christian Ruppert [mailto:spo...@gm...] > Gesendet: Samstag, 23. August 2008 11:48 > An: mar...@fr... > Cc: fai...@li... > Betreff: Re: [Fail2ban-users] Filter for proftpd > > > hi marcus, > > what does fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/ > /etc/fail2ban/filter.d/proftpd.conf say? maybe you have set your ip to > the ignoreip variable.. > > 2008/8/23 Marcus Müller <mar...@fr...>: >> Hello, >> >> just one question: >> >> Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 >> which was trying to connect to the proftpd-Server with a wrong >> Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the >> IP´s ? >> >> The jail.conf as follow: >> >> [proftpd-iptables] >> >> enabled = true >> filter = proftpd >> action = iptables[name=ProFTPD, port=ftp, protocol=tcp] >> sendmail-whois[name=ProFTPD, >> dest=mar...@fr...] logpath = /var/log/authproftpd.log >> maxretry = 6 >> >> The authproftpd.log >> >> x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x >> ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - >> >> The filter proftpd: >> >> # Fail2Ban configuration file >> # >> # Author: Yaroslav Halchenko >> # >> # $Revision: 677 $ >> # >> >> [Definition] >> >> # Option: failregex >> # Notes.: regex to match the password failures messages in the >> logfile. The >> # host must be matched by a group named "host". The tag >> "<HOST>" can >> # be used for standard IP/hostname matching and is only an >> alias for >> # (?:::f{4,6}:)?(?P<host>\S+) >> # Values: TEXT >> # >> failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from >> \S+ \[\S+\] to \S+:\S+$ >> \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): >> Incorrect password\.$ >> \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login >> attempted\.$ >> \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) >> exceeded$ >> >> # Option: ignoreregex >> # Notes.: regex to ignore. If this regex matches, the line is >> ignored. # Values: TEXT # >> ignoreregex = >> >> >> >> Please help me. >> >> Best regards, >> >> Marcus >> >> >> ---------------------------------------------------------------------- >> --- >> This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge >> Build the coolest Linux based applications with Moblin SDK & win great > prizes >> Grand prize is a trip for two to an Open Source event anywhere in the > world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Marcus M. <mar...@fr...> - 2008-08-24 10:03:18
|
Hi, im using my own logformat: # Logformat SystemLog NONE LogFormat default "%h %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" LogFormat write "%h %u %t \"%r\" %s %b" "fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf" Running tests ============= Use regex file : /etc/fail2ban/filter.d/proftpd.conf Use log file : /var/log/authproftpd.log Results ======= Failregex |- Regular expressions: | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ | `- Number of matches: [1] 0 match(es) [2] 0 match(es) [3] 0 match(es) [4] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. -----Ursprüngliche Nachricht----- Von: Christian Ruppert [mailto:spo...@gm...] Gesendet: Samstag, 23. August 2008 22:38 An: mar...@fr... Cc: fai...@li... Betreff: Re: [Fail2ban-users] Filter for proftpd oh sorry i mean: "fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf" btw the log should look like: Aug 23 22:28:18 thor proftpd[23787] thor (x.x.x.x[x.x.x.x]): USER anonymous: no such user found from x.x.x.x [x.x.x.x] to x.x.x.x:21 do you use your own logformat in proftpd? 2008/8/23 Marcus Müller <mar...@fr...>: > Hi, > > fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/ > /etc/fail2ban/filter.d/proftpd.conf as follow: > > > Cannot remove regular expression. Index 0 is not valid > No 'host' group in '/etc/fail2ban/' > Cannot remove regular expression. Index 0 is not valid > Cannot add empty regex > > Results > ======= > > Failregex > |- Regular expressions: > | [1] /etc/fail2ban/ > | > `- Number of matches: > [1] 0 match(es) > > Ignoreregex > |- Regular expressions: > | [1] > | > `- Number of matches: > [1] 0 match(es) > > Summary > ======= > > Sorry, no match > > Look at the above section 'Running tests' which could contain > important information. > > Best regards, > > Marcus > > > -----Ursprüngliche Nachricht----- > Von: Christian Ruppert [mailto:spo...@gm...] > Gesendet: Samstag, 23. August 2008 11:48 > An: mar...@fr... > Cc: fai...@li... > Betreff: Re: [Fail2ban-users] Filter for proftpd > > > hi marcus, > > what does fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/ > /etc/fail2ban/filter.d/proftpd.conf say? maybe you have set your ip to > the ignoreip variable.. > > 2008/8/23 Marcus Müller <mar...@fr...>: >> Hello, >> >> just one question: >> >> Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 >> which was trying to connect to the proftpd-Server with a wrong >> Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the >> IP´s ? >> >> The jail.conf as follow: >> >> [proftpd-iptables] >> >> enabled = true >> filter = proftpd >> action = iptables[name=ProFTPD, port=ftp, protocol=tcp] >> sendmail-whois[name=ProFTPD, >> dest=mar...@fr...] logpath = /var/log/authproftpd.log >> maxretry = 6 >> >> The authproftpd.log >> >> x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x >> ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - >> >> The filter proftpd: >> >> # Fail2Ban configuration file >> # >> # Author: Yaroslav Halchenko >> # >> # $Revision: 677 $ >> # >> >> [Definition] >> >> # Option: failregex >> # Notes.: regex to match the password failures messages in the >> logfile. The >> # host must be matched by a group named "host". The tag >> "<HOST>" can >> # be used for standard IP/hostname matching and is only an >> alias for >> # (?:::f{4,6}:)?(?P<host>\S+) >> # Values: TEXT >> # >> failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from >> \S+ \[\S+\] to \S+:\S+$ >> \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): >> Incorrect password\.$ >> \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login >> attempted\.$ >> \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) >> exceeded$ >> >> # Option: ignoreregex >> # Notes.: regex to ignore. If this regex matches, the line is >> ignored. # Values: TEXT # ignoreregex = >> >> >> >> Please help me. >> >> Best regards, >> >> Marcus >> >> >> --------------------------------------------------------------------- >> - >> --- >> This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge >> Build the coolest Linux based applications with Moblin SDK & win >> great > prizes >> Grand prize is a trip for two to an Open Source event anywhere in the > world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Fail2ban-users mailing list Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > > ---------------------------------------------------------------------- > --- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: René B. <rb...@ca...> - 2008-08-23 21:17:45
|
Marcus Müller wrote: > just one question: > > Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 which > was trying to connect to the proftpd-Server with a wrong Password PASS > (hidden). What can i do ? Why doesnt ban fail2ban the IP´s ? > > The jail.conf as follow: > > [proftpd-iptables] > > enabled = true > filter = proftpd > action = iptables[name=ProFTPD, port=ftp, protocol=tcp] > sendmail-whois[name=ProFTPD, > dest=mar...@fr...] > logpath = /var/log/authproftpd.log > maxretry = 6 > > The authproftpd.log > > x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - > x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - That log looks nothing like ProFtp's log, it looks like an imitation of Apache's log (in fact a quick Google seems to indicate it is a Microsoft's ftp server). No wonder the filter expressions don't match anything. For the future: when you report a problem please include which version are you using, under which operating system, and if you have made changes. [snip] > failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from > \S+ \[\S+\] to \S+:\S+$ > \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect > password\.$ > \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login > attempted\.$ > \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) > exceeded$ [snip] A quick fix, add the following to the above expressions: ^<HOST> ftp .* PASS .* 530 That is not a permanent fix, when you upgrade fail2ban that file will be overwritten and the change lost. The real fix is to create your own local rule, with the proper regular expression. I would experiment with the above expression for some time, if it works keep it, if you see other log messages that should have their own expression add them. For instance, the 331 code in the log means the user name was known, the 350 probably means a bad password (I'm not sure, as I said, that log doesn't look like ProFtp's log... but I haven't used ProFtp in years so it could have changed), what does an invalid user look like? probably just another code (332 following Microsoft's documentation), then a similar regex should be added with that code instead of 530. -- René Berber |
From: René B. <rb...@ca...> - 2008-08-23 22:42:13
|
René Berber wrote: [snip] > That log looks nothing like ProFtp's log, it looks like an imitation of > Apache's log (in fact a quick Google seems to indicate it is a > Microsoft's ftp server). No wonder the filter expressions don't match > anything. [snip] Just for reference, this is what ProFtp's log looks like (under Windows where I already had it installed), two tests, first I tried with an invalid password, then I used the correct one: 08-23 17:33:19 proftpd: [mail.info] PID 1720: connect from 127.0.0.1 08-23 17:33:22 proftpd: [daemon.info] black.cactus-soft.dyndns.org (localhost[127.0.0.1]) - FTP session opened. 08-23 17:33:48 proftpd: [daemon.notice] black.cactus-soft.dyndns.org (localhost[127.0.0.1]) - error authenticating Cygwin user: Permission denied 08-23 17:33:48 proftpd: [authpriv.notice] black.cactus-soft.dyndns.org (localhost[127.0.0.1]) - USER rberber (Login failed): Incorrect password. 08-23 17:33:48 proftpd: [authpriv.info] black.cactus-soft.dyndns.org (localhost[127.0.0.1]) - FTP session closed. ... 08-23 17:34:51 proftpd: [mail.info] PID 2648: connect from 127.0.0.1 08-23 17:34:52 proftpd: [daemon.info] black.cactus-soft.dyndns.org (localhost[127.0.0.1]) - FTP session opened. 08-23 17:34:56 proftpd: [authpriv.notice] black.cactus-soft.dyndns.org (localhost[127.0.0.1]) - USER rberber: Login successful. 08-23 17:34:56 proftpd: [authpriv.warning] black.cactus-soft.dyndns.org The version I'm using: $ /usr/sbin/proftpd --version - ProFTPD Version 1.3.0a -- René Berber |
From: Marcus M. <mar...@fr...> - 2008-08-24 10:06:26
|
Hi, 1) the OS is SLES10 2) Proftpd 1.3.1 The only changes are the logformat and the ExtendedLog: # Logformat SystemLog NONE LogFormat default "%h %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" LogFormat write "%h %u %t \"%r\" %s %b" # Record all logins ExtendedLog /var/log/authproftpd.log AUTH -----Ursprüngliche Nachricht----- Von: fai...@li... [mailto:fai...@li...] Im Auftrag von René Berber Gesendet: Samstag, 23. August 2008 23:17 An: fai...@li... Betreff: Re: [Fail2ban-users] Filter for proftpd Marcus Müller wrote: > just one question: > > Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 > which was trying to connect to the proftpd-Server with a wrong > Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the > IP´s ? > > The jail.conf as follow: > > [proftpd-iptables] > > enabled = true > filter = proftpd > action = iptables[name=ProFTPD, port=ftp, protocol=tcp] > sendmail-whois[name=ProFTPD, > dest=mar...@fr...] logpath = /var/log/authproftpd.log > maxretry = 6 > > The authproftpd.log > > x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x > ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - That log looks nothing like ProFtp's log, it looks like an imitation of Apache's log (in fact a quick Google seems to indicate it is a Microsoft's ftp server). No wonder the filter expressions don't match anything. For the future: when you report a problem please include which version are you using, under which operating system, and if you have made changes. [snip] > failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from > \S+ \[\S+\] to \S+:\S+$ > \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): > Incorrect password\.$ > \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login > attempted\.$ > \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) > exceeded$ [snip] A quick fix, add the following to the above expressions: ^<HOST> ftp .* PASS .* 530 That is not a permanent fix, when you upgrade fail2ban that file will be overwritten and the change lost. The real fix is to create your own local rule, with the proper regular expression. I would experiment with the above expression for some time, if it works keep it, if you see other log messages that should have their own expression add them. For instance, the 331 code in the log means the user name was known, the 350 probably means a bad password (I'm not sure, as I said, that log doesn't look like ProFtp's log... but I haven't used ProFtp in years so it could have changed), what does an invalid user look like? probably just another code (332 following Microsoft's documentation), then a similar regex should be added with that code instead of 530. -- René Berber ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Christian R. <spo...@gm...> - 2008-08-24 12:34:18
|
when you change the log format you must change the regex too. a) remove the LogFormat lines. or b) change the regex (see mail(s) from René) 2008/8/24 Marcus Müller <mar...@fr...>: > Hi, > > 1) the OS is SLES10 > 2) Proftpd 1.3.1 > > The only changes are the logformat and the ExtendedLog: > > # Logformat > SystemLog NONE > LogFormat default "%h %u %t \"%r\" %s %b" > LogFormat auth "%v [%P] %h %t \"%r\" %s" > LogFormat write "%h %u %t \"%r\" %s %b" > > # Record all logins > ExtendedLog /var/log/authproftpd.log AUTH > > > > -----Ursprüngliche Nachricht----- > Von: fai...@li... > [mailto:fai...@li...] Im Auftrag von > René Berber > Gesendet: Samstag, 23. August 2008 23:17 > An: fai...@li... > Betreff: Re: [Fail2ban-users] Filter for proftpd > > > Marcus Müller wrote: > >> just one question: >> >> Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 >> which was trying to connect to the proftpd-Server with a wrong >> Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the >> IP´s ? >> >> The jail.conf as follow: >> >> [proftpd-iptables] >> >> enabled = true >> filter = proftpd >> action = iptables[name=ProFTPD, port=ftp, protocol=tcp] >> sendmail-whois[name=ProFTPD, >> dest=mar...@fr...] logpath = /var/log/authproftpd.log >> maxretry = 6 >> >> The authproftpd.log >> >> x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x >> ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - > > That log looks nothing like ProFtp's log, it looks like an imitation of > Apache's log (in fact a quick Google seems to indicate it is a > Microsoft's ftp server). No wonder the filter expressions don't match > anything. > > For the future: when you report a problem please include which version > are you using, under which operating system, and if you have made > changes. > > [snip] >> failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from >> \S+ \[\S+\] to \S+:\S+$ >> \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): >> Incorrect password\.$ >> \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login >> attempted\.$ >> \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) >> exceeded$ > [snip] > > A quick fix, add the following to the above expressions: > > ^<HOST> ftp .* PASS .* 530 > > That is not a permanent fix, when you upgrade fail2ban that file will be > overwritten and the change lost. > > The real fix is to create your own local rule, with the proper regular > expression. I would experiment with the above expression for some time, > if it works keep it, if you see other log messages that should have > their own expression add them. > > For instance, the 331 code in the log means the user name was known, the > 350 probably means a bad password (I'm not sure, as I said, that log > doesn't look like ProFtp's log... but I haven't used ProFtp in years so > it could have changed), what does an invalid user look like? probably > just another code (332 following Microsoft's documentation), then a > similar regex should be added with that code instead of 530. > -- > René Berber > > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Marcus M. <mar...@fr...> - 2008-08-24 19:03:12
|
Hi, Thank you. So i removed the LogFormat lines from proftpd.conf Now, im getting this message in the authproftpd.log but fail2ban doesnt ban the IP. (confused) x.x.x.x UNKNOWN ftp [24/Aug/2008:20:51:03 +0200] "USER mmuster" 331 - x.x.x.x UNKNOWN ftp [24/Aug/2008:20:51:03 +0200] "PASS (hidden)" 530 - -----Ursprüngliche Nachricht----- Von: Christian Ruppert [mailto:spo...@gm...] Gesendet: Sonntag, 24. August 2008 14:34 An: mar...@fr... Cc: fai...@li... Betreff: Re: [Fail2ban-users] Filter for proftpd when you change the log format you must change the regex too. a) remove the LogFormat lines. or b) change the regex (see mail(s) from René) 2008/8/24 Marcus Müller <mar...@fr...>: > Hi, > > 1) the OS is SLES10 > 2) Proftpd 1.3.1 > > The only changes are the logformat and the ExtendedLog: > > # Logformat > SystemLog NONE > LogFormat default "%h %u %t \"%r\" %s %b" > LogFormat auth "%v [%P] %h %t \"%r\" %s" > LogFormat write "%h %u %t \"%r\" %s %b" > > # Record all logins > ExtendedLog /var/log/authproftpd.log AUTH > > > > -----Ursprüngliche Nachricht----- > Von: fai...@li... > [mailto:fai...@li...] Im Auftrag von > René Berber > Gesendet: Samstag, 23. August 2008 23:17 > An: fai...@li... > Betreff: Re: [Fail2ban-users] Filter for proftpd > > > Marcus Müller wrote: > >> just one question: >> >> Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 >> which was trying to connect to the proftpd-Server with a wrong >> Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the >> IP´s ? >> >> The jail.conf as follow: >> >> [proftpd-iptables] >> >> enabled = true >> filter = proftpd >> action = iptables[name=ProFTPD, port=ftp, protocol=tcp] >> sendmail-whois[name=ProFTPD, >> dest=mar...@fr...] logpath = /var/log/authproftpd.log >> maxretry = 6 >> >> The authproftpd.log >> >> x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x >> ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - > > That log looks nothing like ProFtp's log, it looks like an imitation > of Apache's log (in fact a quick Google seems to indicate it is a > Microsoft's ftp server). No wonder the filter expressions don't match > anything. > > For the future: when you report a problem please include which version > are you using, under which operating system, and if you have made > changes. > > [snip] >> failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from >> \S+ \[\S+\] to \S+:\S+$ >> \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): >> Incorrect password\.$ >> \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login >> attempted\.$ >> \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) >> exceeded$ > [snip] > > A quick fix, add the following to the above expressions: > > ^<HOST> ftp .* PASS .* 530 > > That is not a permanent fix, when you upgrade fail2ban that file will > be overwritten and the change lost. > > The real fix is to create your own local rule, with the proper regular > expression. I would experiment with the above expression for some > time, if it works keep it, if you see other log messages that should > have their own expression add them. > > For instance, the 331 code in the log means the user name was known, > the 350 probably means a bad password (I'm not sure, as I said, that > log doesn't look like ProFtp's log... but I haven't used ProFtp in > years so it could have changed), what does an invalid user look like? > probably just another code (332 following Microsoft's documentation), > then a similar regex should be added with that code instead of 530. > -- > René Berber > > > ---------------------------------------------------------------------- > -- > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ---------------------------------------------------------------------- > --- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: René B. <rb...@ca...> - 2008-08-24 19:49:53
|
Marcus Müller wrote: > So i removed the LogFormat lines from proftpd.conf > > Now, im getting this message in the authproftpd.log but fail2ban doesnt > ban the IP. (confused) > > x.x.x.x UNKNOWN ftp [24/Aug/2008:20:51:03 +0200] "USER mmuster" 331 - > x.x.x.x UNKNOWN ftp [24/Aug/2008:20:51:03 +0200] "PASS (hidden)" 530 - Did you restart proftpd? Only necessary if it is running as a daemon, not if it runs through inet.conf. I'm wondering if you read all of my message, I would have tested the regex I gave you. -- René Berber |
From: Marcus M. <mar...@fr...> - 2008-08-25 08:06:55
|
Hi, yes, i restarted the proftpd . Only this kind of information was listed in authproftpd.log: x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "USER mmuster" 331 - x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "PASS (hidden)" 530 - server:/ # fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/proftpd.conf Use log file : /var/log/authproftpd.log Results ======= Failregex |- Regular expressions: | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ | `- Number of matches: [1] 0 match(es) [2] 0 match(es) [3] 0 match(es) [4] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. -----Ursprüngliche Nachricht----- Von: fai...@li... [mailto:fai...@li...] Im Auftrag von René Berber Gesendet: Sonntag, 24. August 2008 21:50 An: fai...@li... Betreff: Re: [Fail2ban-users] Filter for proftpd Marcus Müller wrote: > So i removed the LogFormat lines from proftpd.conf > > Now, im getting this message in the authproftpd.log but fail2ban > doesnt ban the IP. (confused) > > x.x.x.x UNKNOWN ftp [24/Aug/2008:20:51:03 +0200] "USER mmuster" 331 - > x.x.x.x UNKNOWN ftp [24/Aug/2008:20:51:03 +0200] "PASS (hidden)" 530 - Did you restart proftpd? Only necessary if it is running as a daemon, not if it runs through inet.conf. I'm wondering if you read all of my message, I would have tested the regex I gave you. -- René Berber ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: René B. <rb...@ca...> - 2008-08-25 18:57:12
|
Marcus Müller wrote: > yes, i restarted the proftpd . Only this kind of information was listed > in authproftpd.log: > > x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "USER mmuster" 331 - > x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "PASS (hidden)" 530 - A different regex is needed, to take into consideration the change in format (also an extra blank I added that was wrong), try adding to proftpd.conf (after the other 4 regexes): ^<HOST> .* ftp .*PASS .* 530 Test as before, no need to restart proftpd, just 'fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf'. -- René Berber |
From: Marcus M. <mar...@fr...> - 2008-08-26 20:49:14
|
Hi, thank you for your mail. So my regexes of proftpd.conf are as follow: Failregex |- Regular expressions: | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ | [5] ^<HOST> .* ftp .*PASS .* 530 'fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf' Running tests ============= Use regex file : /etc/fail2ban/filter.d/proftpd.conf Use log file : /var/log/authproftpd.log Results ======= Failregex |- Regular expressions: | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ | [5] ^<HOST> .* ftp .*PASS .* 530 | `- Number of matches: [1] 0 match(es) [2] 0 match(es) [3] 0 match(es) [4] 0 match(es) [5] 54 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] [2] [3] [4] [5] x.x.x.x (Sun Aug 24 11:50:00 2008) x.x.x.x (Sun Aug 24 11:51:50 2008) x.x.x.x (Sun Aug 24 11:51:53 2008) x.x.x.x (Sun Aug 24 11:51:56 2008) x.x.x.x (Sun Aug 24 11:52:00 2008) x.x.x.x (Sun Aug 24 11:52:03 2008) x.x.x.x (Sun Aug 24 11:52:06 2008) x.x.x.x (Sun Aug 24 11:52:08 2008) x.x.x.x (Sun Aug 24 11:52:11 2008) x.x.x.x (Sun Aug 24 11:52:14 2008) x.x.x.x (Sun Aug 24 11:52:18 2008) x.x.x.x (Sun Aug 24 11:52:20 2008) x.x.x.x (Sun Aug 24 11:52:22 2008) x.x.x.x (Sun Aug 24 11:56:57 2008) x.x.x.x (Sun Aug 24 11:57:02 2008) x.x.x.x (Sun Aug 24 11:57:05 2008) x.x.x.x (Sun Aug 24 11:57:08 2008) x.x.x.x (Sun Aug 24 11:57:10 2008) x.x.x.x (Sun Aug 24 11:57:12 2008) x.x.x.x (Sun Aug 24 11:57:15 2008) x.x.x.x (Sun Aug 24 11:57:17 2008) x.x.x.x (Sun Aug 24 11:57:19 2008) x.x.x.x (Sun Aug 24 11:57:21 2008) x.x.x.x (Sun Aug 24 11:57:24 2008) x.x.x.x (Sun Aug 24 11:57:26 2008) x.x.x.x (Sun Aug 24 11:57:28 2008) x.x.x.x (Sun Aug 24 11:57:30 2008) x.x.x.x (Sun Aug 24 11:57:33 2008) x.x.x.x (Sun Aug 24 11:57:37 2008) x.x.x.x (Sun Aug 24 11:57:41 2008) x.x.x.x (Sun Aug 24 11:57:43 2008) x.x.x.x (Sun Aug 24 20:50:01 2008) x.x.x.x (Sun Aug 24 20:50:05 2008) x.x.x.x (Sun Aug 24 20:50:11 2008) x.x.x.x (Sun Aug 24 20:50:15 2008) x.x.x.x (Sun Aug 24 20:50:18 2008) x.x.x.x (Sun Aug 24 20:50:21 2008) x.x.x.x (Sun Aug 24 20:50:24 2008) x.x.x.x (Sun Aug 24 20:50:26 2008) x.x.x.x (Sun Aug 24 20:50:30 2008) x.x.x.x (Sun Aug 24 20:50:32 2008) x.x.x.x (Sun Aug 24 20:50:35 2008) x.x.x.x (Sun Aug 24 20:50:38 2008) x.x.x.x (Sun Aug 24 20:50:41 2008) x.x.x.x (Sun Aug 24 20:50:43 2008) x.x.x.x (Sun Aug 24 20:50:46 2008) x.x.x.x (Sun Aug 24 20:50:49 2008) x.x.x.x (Sun Aug 24 20:50:51 2008) x.x.x.x (Sun Aug 24 20:50:53 2008) x.x.x.x (Sun Aug 24 20:50:56 2008) x.x.x.x (Sun Aug 24 20:50:58 2008) x.x.x.x (Sun Aug 24 20:51:01 2008) x.x.x.x (Sun Aug 24 20:51:03 2008) x.x.x.x (Mon Aug 25 10:02:51 2008) Date template hits: 0 hit(s): Month Day Hour:Minute:Second 0 hit(s): Weekday Month Day Hour:Minute:Second Year 0 hit(s): Weekday Month Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 1754 hit(s): Day/Month/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 Success, the total number of match is 54 However, look at the above section 'Running tests' which could contain important information. -----Ursprüngliche Nachricht----- Von: fai...@li... [mailto:fai...@li...] Im Auftrag von René Berber Gesendet: Montag, 25. August 2008 20:57 An: fai...@li... Betreff: Re: [Fail2ban-users] Filter for proftpd Marcus Müller wrote: > yes, i restarted the proftpd . Only this kind of information was > listed in authproftpd.log: > > x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "USER mmuster" 331 - > x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "PASS (hidden)" 530 - A different regex is needed, to take into consideration the change in format (also an extra blank I added that was wrong), try adding to proftpd.conf (after the other 4 regexes): ^<HOST> .* ftp .*PASS .* 530 Test as before, no need to restart proftpd, just 'fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf'. -- René Berber ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: René B. <rb...@ca...> - 2008-08-26 21:47:19
|
Marcus Müller wrote: > thank you for your mail. > > So my regexes of proftpd.conf are as follow: > > Failregex > |- Regular expressions: > | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ > \[\S+\] to \S+:\S+$ > | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect > password\.$ > | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login > attempted\.$ > | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ > | [5] ^<HOST> .* ftp .*PASS .* 530 > > 'fail2ban-regex /var/log/authproftpd.log > /etc/fail2ban/filter.d/proftpd.conf' > > Running tests > ============= > > Use regex file : /etc/fail2ban/filter.d/proftpd.conf > Use log file : /var/log/authproftpd.log > > > Results > ======= > > Failregex > |- Regular expressions: > | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ > \[\S+\] to \S+:\S+$ > | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect > password\.$ > | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login > attempted\.$ > | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ > | [5] ^<HOST> .* ftp .*PASS .* 530 > | > `- Number of matches: > [1] 0 match(es) > [2] 0 match(es) > [3] 0 match(es) > [4] 0 match(es) > [5] 54 match(es) > > Ignoreregex > |- Regular expressions: > | > `- Number of matches: > > Summary > ======= > > Addresses found: > [1] > [2] > [3] > [4] > [5] > x.x.x.x (Sun Aug 24 11:50:00 2008) ... Seems to be working. Now just restart fail2ban-server to put it in operation, or a simple 'fail2ban-client reload' will reload the configuration, also 'fail2ban-client reload proftpd-iptables' is enough. I would also keep an eye for a while on authproftpd.log to see if anything that should be matched is not. -- René Berber |