fail2ban Regex for net2ftp and pure-ftpd

Discussion in 'Server Operation' started by erosbk, Apr 23, 2011.

  1. erosbk

    erosbk New Member

    Hello people, I am needing your help with a little regex for fail2ban :p

    These are some lines of my log file:

    Apr 23 03:07:19 web1 net2ftp: 2011-04-23 03:07:19 53059 /webftp/index.php 0 0 localhost xftp browse main 1
    Apr 23 03:07:19 web1 pure-ftpd: ([email protected]) [INFO] New connection from
    Apr 23 03:07:19 web1 pure-ftpd: ([email protected]) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with DHE-RSA-AES256-SHA, 256 secret bits cipher
    Apr 23 03:07:24 web1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [xftp]
    Apr 23 03:07:24 web1 pure-ftpd: ([email protected]) [INFO] Logout.

    This is my current /etc/fail2ban/filter.d/pureftpd.conf

    failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
    ignoreregex =

    I need to modify the regex of pure-ftpd in order to catch too net2ftp login failures, could you help me pls? I don't want to ban my own address (, so, I need to catch firt the IP from net2ftp... thanks!


    I made this script to install net2ftp in debian 6, use it if you want (at your own risk :p)


    echo -e "Alias webftp (eg. xxxftp): \c"
    read aliaswebftp

    echo -e "URL FTP server (eg. \c"
    read ftpserver

    echo -e "Admin mail ([email protected]): \c"
    read adminmail

    cd /tmp
    mv /tmp/net2ftp_v0.98/files_to_upload /var/lib/net2ftp
    rm -rf /tmp/*

    echo 'Alias /'$aliaswebftp /var/lib/net2ftp > /etc/apache2/conf.d/net2ftp.conf
    echo "" >> /etc/apache2/conf.d/net2ftp.conf
    echo "<Directory /var/lib/net2ftp>" >> /etc/apache2/conf.d/net2ftp.conf
    echo " AllowOverride None" >> /etc/apache2/conf.d/net2ftp.conf
    echo " Order deny,allow" >> /etc/apache2/conf.d/net2ftp.conf
    echo " Allow from all" >> /etc/apache2/conf.d/net2ftp.conf
    echo "</Directory>" >> /etc/apache2/conf.d/net2ftp.conf
    echo "" >> /etc/apache2/conf.d/net2ftp.conf

    /etc/init.d/apache2 restart

    cp /var/lib/net2ftp/ /var/lib/net2ftp/

    sed -i 's/^$net2ftp_settings\[\"allowed_ftpservers\"\]\[1\].*/$net2ftp_settings\[\"allowed_ftpservers\"\]\[1\] = \"'$ftpserver'\";/' /var/lib/net2ftp/
    sed -i 's/^$net2ftp_settings\[\"email_feedback\"\].*/$net2ftp_settings\[\"email_feedback\"\] = \"'$adminmail'\";/' /var/lib/net2ftp/
    sed -i 's/^$net2ftp_settings\[\"use_syslog\"\].*/$net2ftp_settings\[\"use_syslog\"\] = \"yes\";/' /var/lib/net2ftp/

Share This Page