Fail2Ban Regex

Red

Verified User
Joined
Nov 8, 2009
Messages
14
Hello all,

I want to configure Fail2Ban on my server, I've installed the latest version from source.
I've enabled the ProFTPd filtering but it doesn't work. I think I need to modify the regex for ProFTPd logs.
Can someone help me?

An example of my log file is (/var/log/proftpd/auth.log):
Code:
ProFTPd [20299] XXX.XXX.XXX.XXX [26/Dec/2009:18:10:04 +0300] "USER admin" 331
ProFTPd [20299] XXX.XXX.XXX.XXX [26/Dec/2009:16:10:06 +0100] "PASS (hidden)" 530

The regex for ProFTPd is:
Code:
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$

What I need to modify?

Thanks.
 
Ok, I hope this can help someone.
Modify the file /etc/fail2ban/filter.d/proftpd.conf
Code:
failregex = failregex = (.*) (.*) <HOST> (.*) (.*) 530
Also, modify the jail.conf file and set the log file that fail2ban watch to /var/log/proftpd/auth.log

It's work well on my system.
 
In case this ends up being someone search's result
with log format
Code:
LogFormat               auth    "%v [%P] %h %t \"%r\" %s"
you can use
Code:
\[(.*)\] <HOST> \[(.*)\] (.*) 530 *$
 
Back
Top