Package: fail2ban Version: 0.8.3-2 Severity: normal fail2ban fails to detect proftpd login attempts with unknown users. proftpd logs unknown users like this:
---CUT--- Dec 6 14:10:31 hel proftpd[24498]: dist.bestsolution.at \ (202.143.142.166[202.143.142.166]) - USER Administrator: no such \ user found from 202.143.142.166 [202.143.142.166] to 81.16.98.107:21 ---CUT--- /etc/fail2ban/filters.d/proftpd.conf contains this line to match those lines: ---CUT--- \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ ---CUT--- Using this line with fail2ban-regex gives zero matches, changing the line to ---CUT--- \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ ---CUT--- finally matches all the failed login attempts. So for reasons unknown EOL matching does not work as intended, at least with proftpd log entries. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages fail2ban depends on: ii lsb-base 3.2-18 Linux Standard Base 3.2 init scrip ii python 2.5.2-3 An interactive high-level object-o ii python-central 0.6.8 register and build utility for Pyt Versions of packages fail2ban recommends: ii iptables 1.3.8.0debian1-1 administration tools for packet fi ii whois 4.7.24 the GNU whois client -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
