Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation
Reload this Page fail2ban(-regex) not recognizing proftpd logs
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th May 2009, 02:54
lartis lartis is offline
Junior Member
  
Join Date: May 2009
Posts: 3
Thanks: 1
Thanked 1 Time in 1 Post
Default fail2ban(-regex) not recognizing proftpd logs
hi all,

i have a redhat el5 vserver and got fail2ban working for ssh without any problems. i wanted to add support for proftpd today.

the fail2ban-regex test tool doesnt find any matches for the following proftpd.conf:

Quote:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

log from /var/log/secure with failed logins looks like this:
Quote:
May 18 01:17:38 mymachinehostname proftpd[24440]: my.hostname.com (12.345.67.89[12.345.67.89]) - USER testingfail2ban: no such user found from 12.345.67.89[12.345.67.89] to 11.222.333.44:21
"fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf" gives me:
Quote:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/proftpd.conf
Use log file : /var/log/secure


Results
=======

Failregex
|- Regular expressions:
| [1] \w+<HOST>[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
| [2] \w+<HOST>[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
| [3] \w+<HOST>[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
| [4] \w+<HOST>[: -]+ Maximum login attempts \(\d+\) exceeded$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 0 match(es)
[4] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match
any hints would be greatly appreciated,
thx guys
Last edited by lartis; 18th May 2009 at 02:57.
Reply With Quote
Sponsored Links
  #2  
Old 18th May 2009, 11:16
falko falko is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,594 Times in 2,445 Posts
Default
What's in /etc/fail2ban/jail.local?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 18th May 2009, 11:21
lartis lartis is offline
Junior Member
  
Join Date: May 2009
Posts: 3
Thanks: 1
Thanked 1 Time in 1 Post
Default
hey thanks for your answer,
i dont have a jail.local, for now i edited all the confs themselves
Reply With Quote
  #4  
Old 19th May 2009, 05:01
lartis lartis is offline
Junior Member
  
Join Date: May 2009
Posts: 3
Thanks: 1
Thanked 1 Time in 1 Post
Default
quick update maybe i can help someone:

i just wrote my own proftpd.conf with my poor regex skills but now theyre recognized properly, maybe too dirty for bigger / more complicated systems


Quote:
failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$
^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$
^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$
^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$
Reply With Quote
The Following User Says Thank You to lartis For This Useful Post:
marpada (28th May 2009)
  #5  
Old 28th May 2009, 19:42
marpada marpada is offline
Senior Member
  
Join Date: Sep 2008
Posts: 139
Thanks: 2
Thanked 14 Times in 14 Posts
 
Default
Thank you very much lartis,

Also wasted a few hours trying to make the default regex too work but just got a headache
________
Zx14 Vs Hayabusa
________
MARIJUANA BUBBLER
Last edited by marpada; 13th May 2011 at 02:07.
Reply With Quote
The Following User Says Thank You to marpada For This Useful Post:
lartis (28th May 2009)
Reply

Bookmarks

Tags
fail2ban, fail2ban-regex, proftpd

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban Logs AdrianSmithUK Installation/Configuration 9 7th April 2009 14:07
ProFTPd + MySQL refuses to work mongoose643 Server Operation 2 19th October 2008 16:43
Need fail2ban regex for apache with ISPConfig AlArenal Server Operation 3 19th May 2008 21:44
proftpd virtual host not working DaddyFix Installation/Configuration 6 19th April 2006 19:59
Im thinking about throwing proftpd to the trashcan danf.1979 Installation/Configuration 2 23rd December 2005 09:27


All times are GMT +2. The time now is 11:18.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.