From: Will E. <el...@sa...> - 2006-11-18 23:21:24
|
I am running a Fedora Core 5 server using sshd and proftpd and I am being hit daily by dictionary attacks. I have installed fail2ban 0.74 as the rpm version (0.6.1) does not include proftpd. By default fc5 logs sshd and proftpd to /var/log/messages and proftpd to /var/log/secure /var/log/messages sshd failed login no user Nov 12 06:59:08 foo sshd[2608]: Invalid user recruit from 61.43.153.35 Nov 12 06:59:08 foo sshd[2609]: input_userauth_request: invalid user recruit Nov 12 06:59:08 foo sshd[2608]: error: Could not get shadow information for NOUSER Nov 12 06:59:08 foo sshd[2608]: Failed password for invalid user recruit from 61.43.153.35 port 40840 ssh2 sshd failed login bad password Nov 12 07:04:29 foo sshd[2994]: Failed password for nobody from 61.43.153.35 port 34903 ssh2 Nov 12 07:04:30 foo sshd[2995]: Received disconnect from 61.43.153.35: 11: Bye Bye ftp failed login bad password Nov 12 16:40:25 foo proftpd[9494]: foo.bar (::ffff:192.168.1.102[::ffff:192.168.1.102]) - PAM(nobody): Authentication failure. ftp failed login no user Nov 13 14:24:44 foo proftpd[23083]: foo.bar (::ffff:61.178.185.124[::ffff:61.178.185.124]) - no such user 'Administrator' /var log/secure ftp failed login no user Nov 15 23:50:26 foo proftpd[16426]: foo.bar (::ffff:209.160.32.173[::ffff:209.160.32.173]) - USER clark: no such user found from ::ffff:209.160.32.173 [::ffff:209.160.32.173] to ::ffff:192.168.1.98:21 ftp failed bad password Nov 12 16:40:25 foo proftpd[9494]: foo.bar (::ffff:192.168.1.102[::ffff:192.168.1.102]) - USER nobody (Login failed): Incorrect password. Can you help me find a working regex statement Will Elliott |