Menu
▾
▴
Re: [Fail2ban-users] Regex on a FC 5 box
|
From: Cyril J. <cyr...@bl...> - 2006-11-19 21:41:07
|
Hi,
The default jail for Proftpd didn't support the "::ffff:" before the IP
address. I added support for this format to every filters. Try this:
failregex = USER \S+: no such user found from \S*
?\[(?:::f{4,6}:)?(?P<host>\S+)\] to \S+\s*$
It doesn't match all the pattern you get. I will add a section to the
wiki to discuss about failregex. Thus, users will be able to post their
regular expressions and suggestions.
You can simply use the | operator to add other patterns.
Thank you
Cyril
$ ./fail2ban-regex "Nov 15 23:50:26 foo proftpd[16426]: foo.bar
(::ffff:209.160.32.173[::ffff:209.160.32.173]) - USER clark: no such
user found from ::ffff:209.160.32.173 [::ffff:209.160.32.173] to
::ffff:192.168.1.98:21" "USER \S+: no such user found from \S*
?\[(?:::f{4,6}:)?(?P<host>\S+)\] to \S+\s*$"
Success, the following data were found:
Date: Wed Nov 15 23:50:26 2006
IP : 209.160.32.173
Date template hits:
1 hit: Month Day Hour:Minute:Second
0 hit: Weekday Month Day Hour:Minute:Second Year
0 hit: Year/Month/Day Hour:Minute:Second
0 hit: Day/Month/Year:Hour:Minute:Second
0 hit: TAI64N
0 hit: Epoch
Benchmark. Executing 1000...
Performance
Avg: 0.15601754188537598 ms
Max: 7.5180530548095703 ms (Run 70)
Min: 0.11682510375976562 ms (Run 996)
Will Elliott wrote:
> Hi Cyril
> Thanks for the fast replies.
>
> I did try fail2ban-regex when I ran it using this command it failed.
> fail2ban-regex "Nov 15 23:50:26 foo proftpd[16426]: foo.bar
> (::ffff:209.160.32.173[::ffff:209.160.32.173]) -
> USER clark: no such user found from ::ffff:209.160.32.173
> [::ffff:209.160.32.173] to ::ffff:192.168.1.98:21"
> "USER \S+: no such user found from \S* ?\[(?P<host>\S+)\] to \S+\s*$"
> That is running the whole line from /var/log/secure against the provided
> regex.
>
> I ran it against the portion starting with "USER clark:... it found a match
> with no date/time.
>
> I am using the stock jail.conf with the followimg changes
>
> [ssh-iptables]
>
> enabled = true
> filter = sshd
> action = iptables[name=SSH, port=ssh, protocol=tcp]
> mail-whois[name=SSH, dest=ad...@fo...r]
> logpath = /var/log/secure
> #logpath = /var/log/sshd.log
> maxretry = 5
>
> [proftpd-iptables]
>
> enabled = true
> filter = proftpd
> action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
> mail-whois[name=ProFTPD, dest=ad...@fo...r]
> logpath = /var/log/secure
> #logpath = /var/log/proftpd/proftpd.log
> maxretry = 6
>
>
> ----- Original Message -----
> From: "Cyril Jaquier" <cyr...@bl...>
> To: "Will Elliott" <el...@sa...>
> Cc: <fai...@li...>
> Sent: Sunday, November 19, 2006 4:33 AM
> Subject: Re: [Fail2ban-users] Regex on a FC 5 box
>
>
>> Hi Will,
>>
>> Do the default regex not work? Do you get error messages? Can you post
>> your jail.[conf|local]?
>>
>> I suggest you try "fail2ban-regex". This tool will help you finding
>> correct regular expression. Start with the regex in
>> "filter.d/proftpd.conf" as a basis.
>>
>> Once you have found the correct "failregex". Do not modify "proftpd.conf"
>> but copy it to "proftpd.local" and make your changes in this file. Thus,
>> your changes will not be erased when upgrading.
>>
>> Cheers,
>>
>> Cyril
>>
>>
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
|