Hi Cyril once again
I actually reworked that patch a bit so we don't need to come to the
same issue once again -- please see the patch (also I added $ for
pure-ftpd's failregex I believe -- that needs to be checked)
Cheers
Yarik
Roderick, sorry about the delay and thanks for the report.
Hi Cyril!
Here is a tiny bugreport from a Debian user. We should tune up
pure-ftpd's failregex a bit (and may be actually some other services as
well since this logging behavior is quite common). I thought it
would be easier simply to accomplish it upstream for the next release
you have.
Cheers
Yarik
On Fri, 25 May 2007, Roderick Schertler wrote:
> Package: fail2ban
> Version: 0.8.0-2
> Severity: normal
> Tags: patch
> filter.d/pure-ftpd.conf doesn't work if pure-ftpd has the LogPID option on.
> In this case the logged lines look like:
> May 25 20:52:47 gopher pure-ftpd[26108]: ([EMAIL PROTECTED]) [WARNING]
> Authentication failed for user [TST001-test]
> Here is a fix.
> --- pure-ftpd.conf.~1~ Mon Mar 19 16:24:39 2007
> +++ pure-ftpd.conf Fri May 25 16:59:24 2007
> @@ -19,7 +19,7 @@
> # (?:::f{4,6}:)?(?P<host>\S+)
> # Values: TEXT
> -failregex = pure-ftpd: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
> +failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s
> \[.+\]$
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
--
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW: http://www.linkedin.com/in/yarik
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_daemon_pids.dpatch by Yaroslav Halchenko <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Optional PID entry which might not be present due to configuration. Also
failregex for wu-ftpd got hardened with $ at the end.
@DPATCH@
diff -urNad trunk~/config/filter.d/pure-ftpd.conf
trunk/config/filter.d/pure-ftpd.conf
--- trunk~/config/filter.d/pure-ftpd.conf 2007-05-05 21:30:21.000000000
-0400
+++ trunk/config/filter.d/pure-ftpd.conf 2007-06-19 23:08:40.000000000
-0400
@@ -19,7 +19,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = pure-ftpd: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
+failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s
\[.+\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -urNad trunk~/config/filter.d/sshd-ddos.conf
trunk/config/filter.d/sshd-ddos.conf
--- trunk~/config/filter.d/sshd-ddos.conf 2007-05-05 21:30:21.000000000
-0400
+++ trunk/config/filter.d/sshd-ddos.conf 2007-06-19 23:09:56.000000000
-0400
@@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = sshd\[\S*\]: Did not receive identification string from <HOST>
+failregex = sshd(?:\[\d+\])?: Did not receive identification string from
<HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -urNad trunk~/config/filter.d/vsftpd.conf trunk/config/filter.d/vsftpd.conf
--- trunk~/config/filter.d/vsftpd.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/filter.d/vsftpd.conf 2007-06-19 23:10:26.000000000 -0400
@@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$
+failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>$
\[.+\] FAIL LOGIN: Client "<HOST>"$
# Option: ignoreregex
diff -urNad trunk~/config/filter.d/wuftpd.conf trunk/config/filter.d/wuftpd.conf
--- trunk~/config/filter.d/wuftpd.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/filter.d/wuftpd.conf 2007-06-19 23:11:59.000000000 -0400
@@ -11,4 +11,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
-failregex = wu-ftpd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>
+failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>$
