From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MZUzF-0007wL-Jp for garchives@archives.gentoo.org; Fri, 07 Aug 2009 19:20:21 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3B7CCE0358; Fri, 7 Aug 2009 19:20:20 +0000 (UTC) Received: from mail-ew0-f210.google.com (mail-ew0-f210.google.com [209.85.219.210]) by pigeon.gentoo.org (Postfix) with ESMTP id E20AFE0358 for ; Fri, 7 Aug 2009 19:20:19 +0000 (UTC) Received: by ewy6 with SMTP id 6so1882791ewy.34 for ; Fri, 07 Aug 2009 12:20:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=axOfi7DjIIgq2SVm5+LeaNKq2ykwomXhP4MBjBRnddw=; b=mdN24RB/a35Y/pcsPbJU8anojq9z5Y2xwmBhxyEFt0ibLQo1pCXwE/Q3d0qeSFa4u1 p1gXlbogXGAbX+cf5qu9iOvfVOmqgXUTudKkl7kQ8yBAmQUNjVHPPUVt5Ub0o0DUkTM8 BUanBO41i/LHSDG68mzos4cUExR0PizTG9rYY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=hUuCHgzLofuDQnX9l/IEwp4YRU6ZnAA2R8lBMDOaRwIoGC/N6EK1EDTODRawLZVEk1 /IaocFkMgjdGOF3fx+1rJux1soRm7vSwaHX558pRSxUigQaIX8g6NEtqQFEGb8zyYC+H BYiyFhQR1cGzUTja2cINnwz918O38RvPFqXYE= Received: by 10.211.178.8 with SMTP id f8mr1371376ebp.91.1249672819272; Fri, 07 Aug 2009 12:20:19 -0700 (PDT) Received: from ?192.168.1.33? (82-171-39-62.ip.telfort.nl [82.171.39.62]) by mx.google.com with ESMTPS id 28sm1709918eye.14.2009.08.07.12.20.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 07 Aug 2009 12:20:17 -0700 (PDT) Message-ID: <4A7DDE0E.60704@gmail.com> Date: Sat, 08 Aug 2009 22:20:30 +0200 From: mrfroasty User-Agent: Thunderbird 2.0.0.22 (X11/20090728) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@lists.gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] iptables && fail2ban References: <10114659.21222086363221.JavaMail.gibbonsr@twix.insanity5902.no-ip.org> <4A7559A4.4090400@gmail.com> <279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com> <4A757751.5000000@gmail.com> <1249149991.4396.2.camel@laptop.homershut.net> In-Reply-To: <1249149991.4396.2.camel@laptop.homershut.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: ab630323-67f8-4018-9dcd-17ab5122c12f X-Archives-Hash: f95729568adb5649f96be49f1cda4c4d I finally got my hands on the subject, but I am not in a position to play with regular expression. REGEX: #failregex =3D USER \S+: no such user found from \S* ?\[\] to \S+\s= *$ This captures only this kinds of logs on auth.log: #Aug=C3=82 6 22:25:59 fileserver proftpd[18234]: fileserver.mzalendo.net (202.102.135.54[202.102.135.54]) - USER !@#$%^&*: no such user found from 202.102.135.54 [202.102.135.54] to 192.168.1.34:21 It misses this: #Aug=C3=82 7 20:47:18 fileserver proftpd[23323]: fileserver.mzalendo.net (gendesktop.mzalendo.net[192.168.1.33]) - USER mysql (Login failed): Incorrect password. Anyone with a smarter regex and interested to share it with me? I will see if I can learn regex and try to manipulate this expressions. Thanks GR mrfroasty --=20 Extra details: OSS:Gentoo Linux profile:x86 Hardware:msi geforce 8600GT asus p5k-se location:/home/muhsin language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS Typo:40WPM url:http://www.mzalendo.net