View Single Post
  #3  
Old 15th October 2008, 06:41
tristanlee85 tristanlee85 is offline
Senior Member
 
Join Date: Apr 2006
Posts: 199
Thanks: 3
Thanked 2 Times in 2 Posts
Default

Here is my ProFTPD reged:

Code:
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
and here is an example from /var/log/secure:

Code:
Oct 15 00:35:50 ns1 proftpd[15941]: ns1.cfcoding.com (::ffff:65.24.28.114[::ffff:65.24.28.114]) - USER web3_cfcodin: no such user found from ::ffff:65.24.28.114 [::ffff:65.24.28.114] to ::ffff:192.168.1.150:21 
Oct 15 00:35:53 ns1 proftpd[15941]: ns1.cfcoding.com (::ffff:65.24.28.114[::ffff:65.24.28.114]) - FTP session closed. 
Oct 15 00:35:55 ns1 proftpd[15945]: ns1.cfcoding.com (::ffff:65.24.28.114[::ffff:65.24.28.114]) - USER web3_cfcodin: no such user found from ::ffff:65.24.28.114 [::ffff:65.24.28.114] to ::ffff:192.168.1.150:21 
Oct 15 00:35:57 ns1 proftpd[15945]: ns1.cfcoding.com (::ffff:65.24.28.114[::ffff:65.24.28.114]) - FTP session closed. 
Oct 15 00:36:00 ns1 proftpd[15946]: ns1.cfcoding.com (::ffff:65.24.28.114[::ffff:65.24.28.114]) - USER web3_cfcodin: no such user found from ::ffff:65.24.28.114 [::ffff:65.24.28.114] to ::ffff:192.168.1.150:21 
Oct 15 00:36:03 ns1 proftpd[15946]: ns1.cfcoding.com (::ffff:65.24.28.114[::ffff:65.24.28.114]) - FTP session closed.
I tried to fail login, but it didn't block me. Here is my log for fail2ban:

Code:
2008-10-15 00:30:24,783 fail2ban.actions.action: INFO   Set actionCheck = 
2008-10-15 00:30:25,706 fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400
2008-10-15 00:30:25,708 fail2ban.actions.action: ERROR  iptables -N fail2ban-VSFTPD
iptables -A fail2ban-VSFTPD -j RETURN
iptables -I INPUT -p tcp --dport ftp -j fail2ban-VSFTPD returned 400
2008-10-15 00:30:25,831 fail2ban.actions.action: ERROR  iptables -N fail2ban-ProFTPD
iptables -A fail2ban-ProFTPD -j RETURN
iptables -I INPUT -p tcp --dport ftp -j fail2ban-ProFTPD returned 400
__________________
ColdFusion Coding, Blog, and Forum
www.cfcoding.com
Reply With Quote