|
|
| Line 1: |
Line 1: |
| − | failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
| + | Porno Videos Best Sex Porn Tube <a href=http://forums.lfgcomic.com/index.php?showuser=12939>SEX ANIMAL TUBE</a> , [url=http://forums.lfgcomic.com/index.php?showuser=12939]SEX ANIMAL TUBE[/url] , http://forums.lfgcomic.com/index.php?showuser=12939 - SEX ANIMAL TUBE , |
| − | | + | <a href=http://www.theuberfall.com/forums/index.php?showuser=377>FREE ANIMAL PORN CLIPS</a> , [url=http://www.theuberfall.com/forums/index.php?showuser=377]FREE ANIMAL PORN CLIPS[/url] , http://www.theuberfall.com/forums/index.php?showuser=377 - FREE ANIMAL PORN CLIPS , |
| − | /var/log/secure:Jul 3 14:33:30 xkmail proftpd[12639]: xkmail.hopto.org | |
| − | (pe1950-2.sni.ne.jp[61.7.1.109]) - USER adriana: no such user found from
| |
| − | pe1950-2.sni.ne.jp [61.7.1.109] to 71.105.58.80:21
| |
| − | | |
| − | I got hit by this about 1400 times today but fail2ban did not jail ip address.
| |
| − | | |
| − | Is the jail.conf wrong?
| |
| − | kevin@xkmail.hopto.org ver .80 fedora 4
| |
| − | | |
| − | <pre> | |
| − | # Fail2Ban configuration file
| |
| − | #
| |
| − | # Author: Yaroslav Halchenko
| |
| − | #
| |
| − | # $Revision: 510 $
| |
| − | #
| |
| − | | |
| − | [Definition] | |
| − | | |
| − | # Option: failregex
| |
| − | # Notes.: regex to match the password failures messages in the logfile. The
| |
| − | # host must be matched by a group named "host". The tag "<HOST>" can
| |
| − | # be used for standard IP/hostname matching and is only an alias for
| |
| − | # (?:::f{4,6}:)?(?P<host>\S+)
| |
| − | # Values: TEXT
| |
| − | #
| |
| − | failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
| |
| − | | |
| − | # Option: ignoreregex
| |
| − | # Notes.: regex to ignore. If this regex matches, the line is ignored.
| |
| − | # Values: TEXT
| |
| − | #
| |
| − | ignoreregex =
| |
| − | </pre> | |
| − | | |
| − | <pre>
| |
| − | As Yaroslav Halchenko mentioned right in the mailing list each failregex has
| |
| − | to contain \s+$ at the end, expect the one for "no such user found from" there
| |
| − | is a \s* for zero or more whitespaces needed.
| |
| − | | |
| − | [Definition]
| |
| − | | |
| − | # Option: failregex
| |
| − | # Notes.: regex to match the password failures messages in the logfile. The
| |
| − | # host must be matched by a group named "host". The tag "<HOST>" can
| |
| − | # be used for standard IP/hostname matching and is only an alias for
| |
| − | # (?:::f{4,6}:)?(?P<host>\S+)
| |
| − | # Values: TEXT
| |
| − | #
| |
| − | # failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
| |
| − | failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+\s*$
| |
| − | \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.\s+$
| |
| − | \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found\.\s+$
| |
| − | \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.\s+$
| |
| − | \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded\s+$
| |
| − | | |
| − | # Option: ignoreregex
| |
| − | # Notes.: regex to ignore. If this regex matches, the line is ignored.
| |
| − | # Values: TEXT
| |
| − | #
| |
| − | ignoreregex =
| |
| − | | |
| − | I've just tested it with fail2ban 0.8.2-3 on Debian etch 4.0 Before this change i had also the problem,
| |
| − | that fail2ban didn't react on bad login attempts on ftp.
| |
| − | </pre>
| |
