From Fail2ban
Revision as of 02:05, 20 September 2008 by Khaxan (Talk | contribs) (Generic pam_unix regex for CentOS5)

Jump to: navigation, search

I had some trouble finding the right regex under Fedora Core 6 (it might works under other FC distro or else), so I thought adding it to the Wiki. I didn't want to be rude by adding it directly to the article but what's the point of discussion if nobody sees it and then comment on it.

Here is my regex again:

\[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$


Thank you. However, didn't this work?

\[.+\] FAIL LOGIN: Client "<HOST>"$

Are you using 0.6.2 or 0.7.x? If you use 0.6.2, could you try this?

\[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$

Thank you --Lostcontrol 21:56, 21 January 2007 (CET)

proper regex for fedora core 5

Hi i tried the one you are asking about:

\[.+\] FAIL LOGIN: Client "<HOST>"$

but it didn't work this is the error in the error log

#failregex = \[.+\] FAIL LOGIN: Client "<HOST>"$
2007-03-29 13:41:03,902 ERROR: Please check the format and your locale settings.
2007-03-29 13:41:05,550 ERROR: time data did not match format:  data=Mar 29 13:34:28  fmt=%b %d %H:%M:%S

am currently trying out the format you have suggested for v0.6.2 since its the one i have and get back to you if it doesn't work I will try the fomat that worked for fc6.

I tried your suggested regex and it did not work it's not blocking anything on vsftp let me try the other one and see

it too didn't work on my system am going back to using the following regex since i have had limited success with b4 i find a better one:

Authentication failure|Failed password|Invalid user

the main problem of this regex is that it doesn't ban when user is uknown like below

Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=         rhost= 
Apr  1 04:15:46 muthii vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator

You can eply to me at the following address any assistance will be greatly appreciated:

Samnjugu at gmail com

Generic pam_unix regex for CentOS5

 pam_unix\(\S*:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>