Re: [Fail2ban-users] proftpd - regex for

[Andreas M. <an...@an...>]

Roman Buerkle <bu...@st...> schrieb:

> On Tue, 2008-02-12 at 21:55 +0100, Cyril Jaquier wrote:

> > Do you have these lines in proftpd.conf?
> > 
> > failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
> >             \(\S*\[<HOST>\]\) - USER \S+ \(Login failed\): Incorrect
> > password.$
> > 
> > Regards,
> > 
> > Cyril
> 
> Yep, looks like mine. (nightly snapshot from 6.Feb.08)
> 
> -------------------------------
> [root@deepblue ~]# cat /etc/fail2ban/filter.d/proftpd.conf 
> # Fail2Ban configuration file
> #
> # Author: Yaroslav Halchenko
> #
> # $Revision: 603 $
> #
> [Definition]
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> The
> #          host must be matched by a group named "host". The tag
> "<HOST>" can
> #          be used for standard IP/hostname matching and is only an
> alias for
> #          (?:::f{4,6}:)?(?P<host>\S+)
> # Values: TEXT
> #
> failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
>             \(\S*\[<HOST>\]\) - USER \S+ \(Login failed\): Incorrect
> password.$

My proftpd does not produce a part like: USER \S+ \(Login failed\): Incorrect

USER Administrator: no such user found from cherry.anup.dmz [192.168.20.210] to 192.168.20.60:21

that's all


-- 
   Andreas

We live in an incredible age. Information is obtained at the speed of light.
Mein öffentlicher GPG-Schlüssel unter:
http://gpg-keyserver.de/pks/lookup?search=anmeyer&fingerprint=on&op=index