From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MXhsn-0008SB-MU for garchives@archives.gentoo.org; Sun, 02 Aug 2009 20:42:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 143E2E0432; Sun, 2 Aug 2009 20:42:16 +0000 (UTC) Received: from mail-ew0-f210.google.com (mail-ew0-f210.google.com [209.85.219.210]) by pigeon.gentoo.org (Postfix) with ESMTP id B00BAE0432 for ; Sun, 2 Aug 2009 20:42:15 +0000 (UTC) Received: by ewy6 with SMTP id 6so786253ewy.34 for ; Sun, 02 Aug 2009 13:42:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type; bh=cmvkuFBK4pz/WMHgS0SHj5nX4Kg3GeqLURqtR151aos=; b=Ni/AoZW/RZ94rjbZqxue9He+MT3fYiZT+k9Os6IQ6QWz+s7POVQM1IJBrbNSAGEsbU T1zVpS3q2l5ZHIaM+zmXDpqAWgIcuOAKJLNnP2g99sN85/LJeJIhlxfCAmf+GGiSSfDL fKVs2IvbnIXJFGcbrMtKz61gBBDE5Ya5BMNRA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; b=uSL+2MVp7KEPQv6a/473qAhhyN26MxdMQzeqKYeP5rjnYectG9FSnAw81hSMEr+Tyc 5+K0rkzHB3HVoPKzwCIsrd/CJ1Ngp1fSNHceoEdeH0RW3fP6trwlDQVQ0sT8k6e/oOfM +hPsHeKn7PZ2pLRwbEl6hE/s6kCet5Qx99Rdw= Received: by 10.210.12.13 with SMTP id 13mr4112197ebl.12.1249245735193; Sun, 02 Aug 2009 13:42:15 -0700 (PDT) Received: from ?192.168.1.33? (82-171-39-62.ip.telfort.nl [82.171.39.62]) by mx.google.com with ESMTPS id 5sm10246827eyh.46.2009.08.02.13.42.14 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 02 Aug 2009 13:42:14 -0700 (PDT) Message-ID: <4A7759BD.1040903@gmail.com> Date: Mon, 03 Aug 2009 23:42:21 +0200 From: mrfroasty User-Agent: Thunderbird 2.0.0.22 (X11/20090728) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@lists.gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 To: gentoo-server@lists.gentoo.org CC: hparker@gentoo.org Subject: Re: [gentoo-server] iptables && fail2ban References: <10114659.21222086363221.JavaMail.gibbonsr@twix.insanity5902.no-ip.org> <4A7559A4.4090400@gmail.com> <279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com> <4A757751.5000000@gmail.com> <1249149991.4396.2.camel@laptop.homershut.net> In-Reply-To: <1249149991.4396.2.camel@laptop.homershut.net> Content-Type: multipart/alternative; boundary="------------070302050302010001020006" X-Archives-Salt: 650eeecc-bfb8-47d9-a557-9a8b37eb91f0 X-Archives-Hash: 99adb4053598285ff8b211fe7d917666 This is a multi-part message in MIME format. --------------070302050302010001020006 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I have already played with it and concluded that fail2ban missed it...in my previous mail its mentioned that #fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/proftpd.conf|grep 124.205.130.15 Nothing in the output, that means it has just missed to ban this guy. Kerin did mention that this is an issue on the regex, that it captures the guy who played with an unknown user and not because a user tried 3 times. Honestly, I would love to get to solve the issue as this is obviously not the intention. The idea was to BAN any IP regardless of the user is defined on the box or not. P:S I havent looked on those filter yet, I was on holiday since yesterday so probably tomorrow I will get time to check if I can put my hands dirty on this subject. GR mrfroasty GR mrfroasty Homer Parker wrote: > On Sun, 2009-08-02 at 13:24 +0200, mrfroasty wrote: > >> Actually we are talking about proftp deamon analysed using >> /var/log/auth.log. >> > > You can play with fail2ban-regex and see what it thinks. > > -- Extra details: OSS:Gentoo Linux profile:x86 Hardware:msi geforce 8600GT asus p5k-se location:/home/muhsin language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS Typo:40WPM url:http://www.mzalendo.net --------------070302050302010001020006 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit I have already played with it and concluded that fail2ban missed it...in my previous mail its mentioned that

#fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/proftpd.conf|grep 124.205.130.15

Nothing in the output, that means it has just missed to ban this guy.

Kerin did mention that this is an issue on the regex, that it captures the guy who played with an unknown user and not because a user tried 3 times.

Honestly, I would love to get to solve the issue as this is obviously not the intention.
The idea was to BAN any IP regardless of the user is defined on the box or not.

P:S
I havent looked on those filter yet, I was on holiday since yesterday so probably tomorrow I will get time to check if I can put my hands dirty on this subject.

GR
mrfroasty




GR
mrfroasty

Homer Parker wrote: 
On Sun, 2009-08-02 at 13:24 +0200, mrfroasty wrote:
  
Actually we are talking about proftp deamon analysed using
/var/log/auth.log.
    

	You can play with fail2ban-regex and see what it thinks.

  


-- 
Extra details:
OSS:Gentoo Linux
profile:x86
Hardware:msi geforce 8600GT asus p5k-se
location:/home/muhsin
language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS
Typo:40WPM
url:http://www.mzalendo.net
--------------070302050302010001020006--