Drake

Well-Known Member
Nov 9, 2001
83
0
306
New Jersey
cPanel Access Level
DataCenter Provider
Hi,
Anyone good with regex who's be willing to lend a little assistance?

I'm trying to use Fail2Ban with Cpanel's Proftp, which logs into /var/log.messages and not var/log/proftpd

Fail2Ban's original proftpd regex match to block IP's for improper proftpd passwords is as follows:

failregex = USER \S+: no such user \S* ?\[<HOST>\] to \S+\s*$
\(\S*\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect password.$


It obviously needs the host name or IP to block, and is triggered by the words Login failed or Incorrect password.

However the Cpanel proftpd logs into /var/log/messages in different format.

Here's an actual example of invalid FTP users that I am trying to block, for instance brute force, or repetitive FTP logins with invalid user names. The following is an actual line from the server's /var/log/messages that I'm trying to tweak into the Fail2Ban's original "fail regex" format I listed just above.



Dec 2 20:13:00 server7 proftpd[1943]: 6X.95.36.39 (209.51.153.106[209.51.153.106]) - no such user 'Administrator'


I'm trying to take the Fail2Ban's "failregex" above and alter it so it will be triggered by the words "no such user" and hence block the Host / IP.

Someone good at Regex can probably do that with their eyes closed. I'm sorry that my regex brain cells are out to lunch.

Any help appreciated,
Thanks,
Drake P.