From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MZuyt-0003Bq-0p for garchives@archives.gentoo.org; Sat, 08 Aug 2009 23:05:43 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D1B92E03BA; Sat, 8 Aug 2009 23:05:41 +0000 (UTC) Received: from smtp2.tu-cottbus.de (smtp2.tu-cottbus.de [141.43.99.248]) by pigeon.gentoo.org (Postfix) with ESMTP id A40CEE03BA for ; Sat, 8 Aug 2009 23:05:41 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp2.tu-cottbus.de (Postfix) with ESMTP id 8DAFA69019D for ; Sun, 9 Aug 2009 01:05:40 +0200 (CEST) X-Virus-Scanned: by AMaViS (at smtp2.tu-cottbus.de) Received: from [192.168.2.39] (pD95D4E58.dip.t-dialin.net [217.93.78.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by smtp2.tu-cottbus.de (Postfix) with ESMTPSA id 98EA669018E for ; Sun, 9 Aug 2009 01:05:34 +0200 (CEST) Message-ID: <4A7E0524.9010602@gmail.com> Date: Sun, 09 Aug 2009 01:07:16 +0200 From: =?UTF-8?B?cGF1bCBrw7ZsbGU=?= User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@lists.gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] iptables && fail2ban References: <10114659.21222086363221.JavaMail.gibbonsr@twix.insanity5902.no-ip.org> <4A7559A4.4090400@gmail.com> <279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com> <4A757751.5000000@gmail.com> <1249149991.4396.2.camel@laptop.homershut.net> <4A7DDE0E.60704@gmail.com> In-Reply-To: <4A7DDE0E.60704@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Archives-Salt: c6929f5c-736f-4a11-bb5a-052b977c6193 X-Archives-Hash: 4e00591aeee7d220d511c313434c256b mrfroasty schrieb: > I finally got my hands on the subject, but I am not in a position to > play with regular expression. >=20 > REGEX: > #failregex =3D USER \S+: no such user found from \S* ?\[\] to \S+= \s*$ >=20 > This captures only this kinds of logs on auth.log: > #Aug=C3=82 6 22:25:59 fileserver proftpd[18234]: fileserver.mzalendo.n= et > (202.102.135.54[202.102.135.54]) - USER !@#$%^&*: no such user found > from 202.102.135.54 [202.102.135.54] to 192.168.1.34:21 >=20 > It misses this: > #Aug=C3=82 7 20:47:18 fileserver proftpd[23323]: fileserver.mzalendo.n= et > (gendesktop.mzalendo.net[192.168.1.33]) - USER mysql (Login failed): > Incorrect password. >=20 > Anyone with a smarter regex and interested to share it with me? > I will see if I can learn regex and try to manipulate this expressions. Not really. IMO all these brute-force-polling-logwatcher are pretty bad=20 design. If proftpd uses pam you should search for pam_shield, it can=20 recognize failed logins and insert the appropriate rules into your firewa= ll. cheers Paul >=20 > Thanks >=20 > GR > mrfroasty >=20