fail2ban Regex for net2ftp and pure-ftpd

Discussion in 'Server Operation' started by erosbk, Apr 23, 2011.

  1. erosbk

    erosbk New Member

    Hello people, I am needing your help with a little regex for fail2ban :p

    These are some lines of my log file:

    Apr 23 03:07:19 web1 net2ftp: 2011-04-23 03:07:19 190.172.99.244 53059 /webftp/index.php 0 0 localhost xftp browse main 1
    Apr 23 03:07:19 web1 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Apr 23 03:07:19 web1 pure-ftpd: (?@127.0.0.1) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher
    Apr 23 03:07:24 web1 pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [xftp]
    Apr 23 03:07:24 web1 pure-ftpd: (?@127.0.0.1) [INFO] Logout.

    This is my current /etc/fail2ban/filter.d/pureftpd.conf

    [Definition]
    failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
    ignoreregex =

    I need to modify the regex of pure-ftpd in order to catch too net2ftp login failures, could you help me pls? I don't want to ban my own address (127.0.0.1), so, I need to catch firt the IP from net2ftp... thanks!

    ____________________________________________

    I made this script to install net2ftp in debian 6, use it if you want (at your own risk :p)

    #!/bin/bash

    echo -e "Alias webftp (eg. xxxftp): \c"
    read aliaswebftp

    echo -e "URL FTP server (eg. ftp.xxx.com.ar): \c"
    read ftpserver

    echo -e "Admin mail ([email protected]): \c"
    read adminmail

    cd /tmp
    wget http://www.net2ftp.com/download/net2ftp_v0.98.zip
    unzip net2ftp_v0.98.zip
    mv /tmp/net2ftp_v0.98/files_to_upload /var/lib/net2ftp
    rm -rf /tmp/*

    echo 'Alias /'$aliaswebftp /var/lib/net2ftp > /etc/apache2/conf.d/net2ftp.conf
    echo "" >> /etc/apache2/conf.d/net2ftp.conf
    echo "<Directory /var/lib/net2ftp>" >> /etc/apache2/conf.d/net2ftp.conf
    echo " AllowOverride None" >> /etc/apache2/conf.d/net2ftp.conf
    echo " Order deny,allow" >> /etc/apache2/conf.d/net2ftp.conf
    echo " Allow from all" >> /etc/apache2/conf.d/net2ftp.conf
    echo "</Directory>" >> /etc/apache2/conf.d/net2ftp.conf
    echo "" >> /etc/apache2/conf.d/net2ftp.conf

    /etc/init.d/apache2 restart

    cp /var/lib/net2ftp/settings_authorizations.inc.php /var/lib/net2ftp/settings_authorizations.inc.php.backup

    sed -i 's/^$net2ftp_settings\[\"allowed_ftpservers\"\]\[1\].*/$net2ftp_settings\[\"allowed_ftpservers\"\]\[1\] = \"'$ftpserver'\";/' /var/lib/net2ftp/settings_authorizations.inc.php
    sed -i 's/^$net2ftp_settings\[\"email_feedback\"\].*/$net2ftp_settings\[\"email_feedback\"\] = \"'$adminmail'\";/' /var/lib/net2ftp/settings.inc.php
    sed -i 's/^$net2ftp_settings\[\"use_syslog\"\].*/$net2ftp_settings\[\"use_syslog\"\] = \"yes\";/' /var/lib/net2ftp/settings.inc.php
     

Share This Page