From: Luis E. <tu...@as...> - 2007-07-20 12:37:14
|
> If you compare these regular expressions with those in your first post, Thanks again for the feedback Cyril. Lots of info in those links! :) For an experiment I removed the $ sign from the end of the regex and this time fail2ban-regex worked. > In your case, it seems that you have more output after > "rhost=xxx.xxx.xxx.xxx". Could you post some of the corresponding vsftpd > logs? Here is a typical vsftpd failed login in /var/log/secure: Jul 19 18:11:18 srv2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Jul 19 18:11:18 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=c-xx-xxx-xx-xxx.hsd1.fl.comcast.net Jul 19 18:11:18 srv2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user an8767 Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=c-xx-xxx-xx-xxx.hsd1.fl.comcast.net Jul 19 18:11:26 srv2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user an8767 I replaced the IP address part with xx. I'm not sure could be coming after the "rhost" section though... Thanks again, Luis |