From: Cyril J. <cyr...@bl...> - 2006-11-19 21:41:07
|
Hi, The default jail for Proftpd didn't support the "::ffff:" before the IP address. I added support for this format to every filters. Try this: failregex = USER \S+: no such user found from \S* ?\[(?:::f{4,6}:)?(?P<host>\S+)\] to \S+\s*$ It doesn't match all the pattern you get. I will add a section to the wiki to discuss about failregex. Thus, users will be able to post their regular expressions and suggestions. You can simply use the | operator to add other patterns. Thank you Cyril $ ./fail2ban-regex "Nov 15 23:50:26 foo proftpd[16426]: foo.bar (::ffff:209.160.32.173[::ffff:209.160.32.173]) - USER clark: no such user found from ::ffff:209.160.32.173 [::ffff:209.160.32.173] to ::ffff:192.168.1.98:21" "USER \S+: no such user found from \S* ?\[(?:::f{4,6}:)?(?P<host>\S+)\] to \S+\s*$" Success, the following data were found: Date: Wed Nov 15 23:50:26 2006 IP : 209.160.32.173 Date template hits: 1 hit: Month Day Hour:Minute:Second 0 hit: Weekday Month Day Hour:Minute:Second Year 0 hit: Year/Month/Day Hour:Minute:Second 0 hit: Day/Month/Year:Hour:Minute:Second 0 hit: TAI64N 0 hit: Epoch Benchmark. Executing 1000... Performance Avg: 0.15601754188537598 ms Max: 7.5180530548095703 ms (Run 70) Min: 0.11682510375976562 ms (Run 996) Will Elliott wrote: > Hi Cyril > Thanks for the fast replies. > > I did try fail2ban-regex when I ran it using this command it failed. > fail2ban-regex "Nov 15 23:50:26 foo proftpd[16426]: foo.bar > (::ffff:209.160.32.173[::ffff:209.160.32.173]) - > USER clark: no such user found from ::ffff:209.160.32.173 > [::ffff:209.160.32.173] to ::ffff:192.168.1.98:21" > "USER \S+: no such user found from \S* ?\[(?P<host>\S+)\] to \S+\s*$" > That is running the whole line from /var/log/secure against the provided > regex. > > I ran it against the portion starting with "USER clark:... it found a match > with no date/time. > > I am using the stock jail.conf with the followimg changes > > [ssh-iptables] > > enabled = true > filter = sshd > action = iptables[name=SSH, port=ssh, protocol=tcp] > mail-whois[name=SSH, dest=ad...@fo...r] > logpath = /var/log/secure > #logpath = /var/log/sshd.log > maxretry = 5 > > [proftpd-iptables] > > enabled = true > filter = proftpd > action = iptables[name=ProFTPD, port=ftp, protocol=tcp] > mail-whois[name=ProFTPD, dest=ad...@fo...r] > logpath = /var/log/secure > #logpath = /var/log/proftpd/proftpd.log > maxretry = 6 > > > ----- Original Message ----- > From: "Cyril Jaquier" <cyr...@bl...> > To: "Will Elliott" <el...@sa...> > Cc: <fai...@li...> > Sent: Sunday, November 19, 2006 4:33 AM > Subject: Re: [Fail2ban-users] Regex on a FC 5 box > > >> Hi Will, >> >> Do the default regex not work? Do you get error messages? Can you post >> your jail.[conf|local]? >> >> I suggest you try "fail2ban-regex". This tool will help you finding >> correct regular expression. Start with the regex in >> "filter.d/proftpd.conf" as a basis. >> >> Once you have found the correct "failregex". Do not modify "proftpd.conf" >> but copy it to "proftpd.local" and make your changes in this file. Thus, >> your changes will not be erased when upgrading. >> >> Cheers, >> >> Cyril >> >> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |