Fail2Ban Regex

[Red]

Hello all,

I want to configure Fail2Ban on my server, I've installed the latest version from source.
I've enabled the ProFTPd filtering but it doesn't work. I think I need to modify the regex for ProFTPd logs.
Can someone help me?

An example of my log file is (/var/log/proftpd/auth.log):

ProFTPd [20299] XXX.XXX.XXX.XXX [26/Dec/2009:18:10:04 +0300] "USER admin" 331
ProFTPd [20299] XXX.XXX.XXX.XXX [26/Dec/2009:16:10:06 +0100] "PASS (hidden)" 530

The regex for ProFTPd is:

failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$

What I need to modify?

Thanks.

 

[Red]

Ok, I hope this can help someone.
Modify the file /etc/fail2ban/filter.d/proftpd.conf

failregex = failregex = (.*) (.*) <HOST> (.*) (.*) 530

Also, modify the jail.conf file and set the log file that fail2ban watch to /var/log/proftpd/auth.log

It's work well on my system.

 

[interfasys]

In case this ends up being someone search's result
with log format

LogFormat               auth    "%v [%P] %h %t \"%r\" %s"

you can use

\[(.*)\] <HOST> \[(.*)\] (.*) 530 *$