could you please either send sample of logfile as an attachement, or
just try to add matching of spaces at the end of the lines, ie replace
\S+$
to
\S+ *$
and report if that helps
On Sat, 06 Dec 2008, Udo Rader wrote:
> Package: fail2ban
> Version: 0.8.3-2
> Severity: normal
> fail2ban fails to detect proftpd login attempts with unknown users.
> proftpd logs unknown users like this:
> ---CUT---
> Dec 6 14:10:31 hel proftpd[24498]: dist.bestsolution.at \
> (202.143.142.166[202.143.142.166]) - USER Administrator: no such \
> user found from 202.143.142.166 [202.143.142.166] to 81.16.98.107:21
> ---CUT---
> /etc/fail2ban/filters.d/proftpd.conf contains this line to match those lines:
> ---CUT---
> \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to
> \S+:\S+$
> ---CUT---
> Using this line with fail2ban-regex gives zero matches, changing the line to
> ---CUT---
> \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to
> \S+:\S+
> ---CUT---
> finally matches all the failed login attempts.
--
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW: http://www.linkedin.com/in/yarik
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
