Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Regex Help Needed

Discussion in 'General Discussion' started by Drake, Dec 2, 2007.

  1. Drake

    Drake Well-Known Member

    Nov 9, 2001
    Likes Received:
    Trophy Points:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Anyone good with regex who's be willing to lend a little assistance?

    I'm trying to use Fail2Ban with Cpanel's Proftp, which logs into /var/log.messages and not var/log/proftpd

    Fail2Ban's original proftpd regex match to block IP's for improper proftpd passwords is as follows:

    failregex = USER \S+: no such user \S* ?\[<HOST>\] to \S+\s*$
    \(\S*\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect password.$

    It obviously needs the host name or IP to block, and is triggered by the words Login failed or Incorrect password.

    However the Cpanel proftpd logs into /var/log/messages in different format.

    Here's an actual example of invalid FTP users that I am trying to block, for instance brute force, or repetitive FTP logins with invalid user names. The following is an actual line from the server's /var/log/messages that I'm trying to tweak into the Fail2Ban's original "fail regex" format I listed just above.

    Dec 2 20:13:00 server7 proftpd[1943]: 6X.95.36.39 ([]) - no such user 'Administrator'

    I'm trying to take the Fail2Ban's "failregex" above and alter it so it will be triggered by the words "no such user" and hence block the Host / IP.

    Someone good at Regex can probably do that with their eyes closed. I'm sorry that my regex brain cells are out to lunch.

    Any help appreciated,
    Drake P.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. grayloon

    grayloon Well-Known Member

    Oct 31, 2007
    Likes Received:
    Trophy Points:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    I'm thinking about trying fail2ban as well. Did you ever get this worked out?

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice