The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Regex Help Needed

Discussion in 'General Discussion' started by Drake, Dec 2, 2007.

  1. Drake

    Drake Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hi,
    Anyone good with regex who's be willing to lend a little assistance?

    I'm trying to use Fail2Ban with Cpanel's Proftp, which logs into /var/log.messages and not var/log/proftpd

    Fail2Ban's original proftpd regex match to block IP's for improper proftpd passwords is as follows:

    failregex = USER \S+: no such user \S* ?\[<HOST>\] to \S+\s*$
    \(\S*\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect password.$


    It obviously needs the host name or IP to block, and is triggered by the words Login failed or Incorrect password.

    However the Cpanel proftpd logs into /var/log/messages in different format.

    Here's an actual example of invalid FTP users that I am trying to block, for instance brute force, or repetitive FTP logins with invalid user names. The following is an actual line from the server's /var/log/messages that I'm trying to tweak into the Fail2Ban's original "fail regex" format I listed just above.



    Dec 2 20:13:00 server7 proftpd[1943]: 6X.95.36.39 (209.51.153.106[209.51.153.106]) - no such user 'Administrator'


    I'm trying to take the Fail2Ban's "failregex" above and alter it so it will be triggered by the words "no such user" and hence block the Host / IP.

    Someone good at Regex can probably do that with their eyes closed. I'm sorry that my regex brain cells are out to lunch.

    Any help appreciated,
    Thanks,
    Drake P.
     
  2. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm thinking about trying fail2ban as well. Did you ever get this worked out?
     
Loading...

Share This Page