From: Marcus M. <mar...@fr...> - 2008-08-26 20:49:14
|
Hi, thank you for your mail. So my regexes of proftpd.conf are as follow: Failregex |- Regular expressions: | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ | [5] ^<HOST> .* ftp .*PASS .* 530 'fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf' Running tests ============= Use regex file : /etc/fail2ban/filter.d/proftpd.conf Use log file : /var/log/authproftpd.log Results ======= Failregex |- Regular expressions: | [1] \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ | [2] \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ | [3] \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ | [4] \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ | [5] ^<HOST> .* ftp .*PASS .* 530 | `- Number of matches: [1] 0 match(es) [2] 0 match(es) [3] 0 match(es) [4] 0 match(es) [5] 54 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] [2] [3] [4] [5] x.x.x.x (Sun Aug 24 11:50:00 2008) x.x.x.x (Sun Aug 24 11:51:50 2008) x.x.x.x (Sun Aug 24 11:51:53 2008) x.x.x.x (Sun Aug 24 11:51:56 2008) x.x.x.x (Sun Aug 24 11:52:00 2008) x.x.x.x (Sun Aug 24 11:52:03 2008) x.x.x.x (Sun Aug 24 11:52:06 2008) x.x.x.x (Sun Aug 24 11:52:08 2008) x.x.x.x (Sun Aug 24 11:52:11 2008) x.x.x.x (Sun Aug 24 11:52:14 2008) x.x.x.x (Sun Aug 24 11:52:18 2008) x.x.x.x (Sun Aug 24 11:52:20 2008) x.x.x.x (Sun Aug 24 11:52:22 2008) x.x.x.x (Sun Aug 24 11:56:57 2008) x.x.x.x (Sun Aug 24 11:57:02 2008) x.x.x.x (Sun Aug 24 11:57:05 2008) x.x.x.x (Sun Aug 24 11:57:08 2008) x.x.x.x (Sun Aug 24 11:57:10 2008) x.x.x.x (Sun Aug 24 11:57:12 2008) x.x.x.x (Sun Aug 24 11:57:15 2008) x.x.x.x (Sun Aug 24 11:57:17 2008) x.x.x.x (Sun Aug 24 11:57:19 2008) x.x.x.x (Sun Aug 24 11:57:21 2008) x.x.x.x (Sun Aug 24 11:57:24 2008) x.x.x.x (Sun Aug 24 11:57:26 2008) x.x.x.x (Sun Aug 24 11:57:28 2008) x.x.x.x (Sun Aug 24 11:57:30 2008) x.x.x.x (Sun Aug 24 11:57:33 2008) x.x.x.x (Sun Aug 24 11:57:37 2008) x.x.x.x (Sun Aug 24 11:57:41 2008) x.x.x.x (Sun Aug 24 11:57:43 2008) x.x.x.x (Sun Aug 24 20:50:01 2008) x.x.x.x (Sun Aug 24 20:50:05 2008) x.x.x.x (Sun Aug 24 20:50:11 2008) x.x.x.x (Sun Aug 24 20:50:15 2008) x.x.x.x (Sun Aug 24 20:50:18 2008) x.x.x.x (Sun Aug 24 20:50:21 2008) x.x.x.x (Sun Aug 24 20:50:24 2008) x.x.x.x (Sun Aug 24 20:50:26 2008) x.x.x.x (Sun Aug 24 20:50:30 2008) x.x.x.x (Sun Aug 24 20:50:32 2008) x.x.x.x (Sun Aug 24 20:50:35 2008) x.x.x.x (Sun Aug 24 20:50:38 2008) x.x.x.x (Sun Aug 24 20:50:41 2008) x.x.x.x (Sun Aug 24 20:50:43 2008) x.x.x.x (Sun Aug 24 20:50:46 2008) x.x.x.x (Sun Aug 24 20:50:49 2008) x.x.x.x (Sun Aug 24 20:50:51 2008) x.x.x.x (Sun Aug 24 20:50:53 2008) x.x.x.x (Sun Aug 24 20:50:56 2008) x.x.x.x (Sun Aug 24 20:50:58 2008) x.x.x.x (Sun Aug 24 20:51:01 2008) x.x.x.x (Sun Aug 24 20:51:03 2008) x.x.x.x (Mon Aug 25 10:02:51 2008) Date template hits: 0 hit(s): Month Day Hour:Minute:Second 0 hit(s): Weekday Month Day Hour:Minute:Second Year 0 hit(s): Weekday Month Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 1754 hit(s): Day/Month/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 Success, the total number of match is 54 However, look at the above section 'Running tests' which could contain important information. -----Ursprüngliche Nachricht----- Von: fai...@li... [mailto:fai...@li...] Im Auftrag von René Berber Gesendet: Montag, 25. August 2008 20:57 An: fai...@li... Betreff: Re: [Fail2ban-users] Filter for proftpd Marcus Müller wrote: > yes, i restarted the proftpd . Only this kind of information was > listed in authproftpd.log: > > x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "USER mmuster" 331 - > x.x.x.x UNKNOWN ftp [25/Aug/2008:10:02:51 +0200] "PASS (hidden)" 530 - A different regex is needed, to take into consideration the change in format (also an extra blank I added that was wrong), try adding to proftpd.conf (after the other 4 regexes): ^<HOST> .* ftp .*PASS .* 530 Test as before, no need to restart proftpd, just 'fail2ban-regex /var/log/authproftpd.log /etc/fail2ban/filter.d/proftpd.conf'. -- René Berber ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |