could you please either send sample of logfile as an attachement, or just try to add matching of spaces at the end of the lines, ie replace \S+$ to \S+ *$ and report if that helps
On Sat, 06 Dec 2008, Udo Rader wrote: > Package: fail2ban > Version: 0.8.3-2 > Severity: normal > fail2ban fails to detect proftpd login attempts with unknown users. > proftpd logs unknown users like this: > ---CUT--- > Dec 6 14:10:31 hel proftpd[24498]: dist.bestsolution.at \ > (202.143.142.166[202.143.142.166]) - USER Administrator: no such \ > user found from 202.143.142.166 [202.143.142.166] to 81.16.98.107:21 > ---CUT--- > /etc/fail2ban/filters.d/proftpd.conf contains this line to match those lines: > ---CUT--- > \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to > \S+:\S+$ > ---CUT--- > Using this line with fail2ban-regex gives zero matches, changing the line to > ---CUT--- > \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to > \S+:\S+ > ---CUT--- > finally matches all the failed login attempts. -- Yaroslav Halchenko Research Assistant, Psychology Department, Rutgers-Newark Student Ph.D. @ CS Dept. NJIT Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]