From Fail2ban
Revision as of 19:25, 13 April 2009 by Mogman1 (Talk | contribs) (regex for fail2ban 0.8.3 on CentOS5?)

Jump to: navigation, search

I had some trouble finding the right regex under Fedora Core 6 (it might works under other FC distro or else), so I thought adding it to the Wiki. I didn't want to be rude by adding it directly to the article but what's the point of discussion if nobody sees it and then comment on it.

Here is my regex again:

\[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$


Thank you. However, didn't this work?

\[.+\] FAIL LOGIN: Client "<HOST>"$

Are you using 0.6.2 or 0.7.x? If you use 0.6.2, could you try this?

\[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$

Thank you --Lostcontrol 21:56, 21 January 2007 (CET)

proper regex for fedora core 5

Hi i tried the one you are asking about:

\[.+\] FAIL LOGIN: Client "<HOST>"$

but it didn't work this is the error in the error log

#failregex = \[.+\] FAIL LOGIN: Client "<HOST>"$
2007-03-29 13:41:03,902 ERROR: Please check the format and your locale settings.
2007-03-29 13:41:05,550 ERROR: time data did not match format:  data=Mar 29 13:34:28  fmt=%b %d %H:%M:%S

am currently trying out the format you have suggested for v0.6.2 since its the one i have and get back to you if it doesn't work I will try the fomat that worked for fc6.

I tried your suggested regex and it did not work it's not blocking anything on vsftp let me try the other one and see

it too didn't work on my system am going back to using the following regex since i have had limited success with b4 i find a better one:

Authentication failure|Failed password|Invalid user

the main problem of this regex is that it doesn't ban when user is uknown like below

Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=         rhost= 
Apr  1 04:15:46 muthii vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator

You can eply to me at the following address any assistance will be greatly appreciated:

Samnjugu at gmail com

Generic pam_unix regex for CentOS5

 pam_unix\(\S*:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>

VSFTPD 2 Red Hat Enterprise

Vsftpd 2.0.5-12 for Red Hat Enterprise 5 logs are like:

Fri Sep 19 15:54:55 2008 [pid 15562] [guest] FTP response: Client "", "530 Permission denied."

So i added a vsftpd.local in /etc/fail2ban/filter.d with

failregex = .*Client "<HOST>",."530 Permission denied."$

regex for fail2ban 0.8.3 on CentOS5?

I'm not sure if this is the right place to ask, so I ask for your patience if not. I've been trying to get a working regex for the vsftpd but to no avail. The failregex in vsftpd.conf is:

 #failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>\s*$
 #            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 failregex = \[. \] FAIL LOGIN: Client "<HOST>"$

The first is what came default and the second is what was suggested here on the page. I've tweaked it a little, but every time I run fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/vsftpd.conf on any regex variation I get:

 No 'host' group in '/etc/fail2ban/vsftpd.conf'
 Cannot remove regular expression. Index 0 is not valid
 No 'host' group in '/etc/fail2ban/vsftpd.conf'
 Cannot remove regular expression. Index 0 is not valid
 |- Regular expressions:
 |  [1] /etc/fail2ban/vsftpd.conf
 `- Number of matches:
    [1] 0 match(es)
 |- Regular expressions:
 `- Number of matches:
 Sorry, no match
 Look at the above section 'Running tests' which could contain important

With the "..." indicating I get TONS of those error messages, they're just all identical. Any ideas? For the record, the lines in vsftpd.log look like:

 Mon Apr 13 10:22:29 2009 [pid 16253] CONNECT: Client ""
 Mon Apr 13 10:22:38 2009 [pid 16252] [username] FAIL LOGIN: Client ""

--Mogman1 17:25, 13 April 2009 (UTC)