From Fail2ban
Jump to: navigation, search

I had some trouble finding the right regex under Fedora Core 6 (it might works under other FC distro or else), so I thought adding it to the Wiki. I didn't want to be rude by adding it directly to the article but what's the point of discussion if nobody sees it and then comment on it.

Here is my regex again:

\[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$


Thank you. However, didn't this work?

\[.+\] FAIL LOGIN: Client "<HOST>"$

Are you using 0.6.2 or 0.7.x? If you use 0.6.2, could you try this?

\[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$

Thank you --Lostcontrol 21:56, 21 January 2007 (CET)

proper regex for fedora core 5

Hi i tried the one you are asking about:

\[.+\] FAIL LOGIN: Client "<HOST>"$

but it didn't work this is the error in the error log

#failregex = \[.+\] FAIL LOGIN: Client "<HOST>"$
2007-03-29 13:41:03,902 ERROR: Please check the format and your locale settings.
2007-03-29 13:41:05,550 ERROR: time data did not match format:  data=Mar 29 13:34:28  fmt=%b %d %H:%M:%S

am currently trying out the format you have suggested for v0.6.2 since its the one i have and get back to you if it doesn't work I will try the fomat that worked for fc6.

I tried your suggested regex and it did not work it's not blocking anything on vsftp let me try the other one and see

it too didn't work on my system am going back to using the following regex since i have had limited success with b4 i find a better one:

Authentication failure|Failed password|Invalid user

the main problem of this regex is that it doesn't ban when user is uknown like below

Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=         rhost= 
Apr  1 04:15:46 muthii vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator

You can eply to me at the following address any assistance will be greatly appreciated:

Samnjugu at gmail com

Generic pam_unix regex for CentOS5

 pam_unix\(\S*:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>

VSFTPD 2 Red Hat Enterprise

Vsftpd 2.0.5-12 for Red Hat Enterprise 5 logs are like:

Fri Sep 19 15:54:55 2008 [pid 15562] [guest] FTP response: Client "", "530 Permission denied."

So i added a vsftpd.local in /etc/fail2ban/filter.d with

failregex = .*Client "<HOST>",."530 Permission denied."$

regex for fail2ban 0.8.x on CentOS5?

The following configuration will allow fail2ban 0.8.4 to work with vsftpd on a Redhat/Centos 5 box (at least it does for me):

 $> cat /etc/fail2ban/filter.d/vsftpd.conf
 failregex = .*Client "<HOST>",."530 Login incorrect."$

Credit should goto CaptainInsane though... not me.