fail2ban/config/filter.d/proftpd.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#         Daniel Black - hardening of regex
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_deamon = proftpd

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#

__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
added sections for sasl and proftpd authentications git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@402 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-02 13:42:36 +00:00			`# Fail2Ban configuration file`
			`#`
			`# Author: Yaroslav Halchenko`
ENH: proftp regex hardening and log messages 2013-06-13 12:11:05 +00:00			`# Daniel Black - hardening of regex`
added sections for sasl and proftpd authentications git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@402 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-02 13:42:36 +00:00			`#`
ENH: proftp regex hardening and log messages 2013-06-13 12:11:05 +00:00
			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`

added sections for sasl and proftpd authentications git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@402 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-02 13:42:36 +00:00
			`[Definition]`

ENH: Tweak proftpd regex and add sample logs Needed to add optional ":" post __pid_re, and for consistency, decided to make use of __prefix_line instead which includes this. 2013-07-21 21:03:49 +00:00			`_deamon = proftpd`

added sections for sasl and proftpd authentications git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@402 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-02 13:42:36 +00:00			`# Option: failregex`
- Added alias "<HOST>" for failregex git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@471 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-19 21:25:51 +00:00			`# Notes.: regex to match the password failures messages in the logfile. The`
			`# host must be matched by a group named "host". The tag "<HOST>" can`
- Fixed some comments git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@495 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-12-18 22:35:34 +00:00			`# be used for standard IP/hostname matching and is only an alias for`
- Changed <HOST> template to be more restrictive. Debian bug #514163. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605 2009-02-08 17:31:24 +00:00			`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
added sections for sasl and proftpd authentications git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@402 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-02 13:42:36 +00:00			`# Values: TEXT`
			`#`
ENH: Improve proftpd regex. Taken from @yarikoptic comment: https://github.com/fail2ban/fail2ban/pull/303#discussion_r5687500 2013-08-09 17:54:08 +00:00
ENH: Minor tweak on previous commit proftpd regex changes 2013-08-09 18:04:26 +00:00			`__suffix_failed_login = (User not authorized for login\|No such user found\|Incorrect password\|Password expired\|Account disabled\|Invalid shell: '\S+'\|User in \S+\|Limit (access\|configuration) denies login\|Not a UserAlias\|maximum login length exceeded).?`
ENH: Tweak proftpd regex and add sample logs Needed to add optional ":" post __pid_re, and for consistency, decided to make use of __prefix_line instead which includes this. 2013-07-21 21:03:49 +00:00			`failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .: no such user found from \S+ \[\S+\] to \S+:\S+ $`
ENH: Improve proftpd regex. Taken from @yarikoptic comment: https://github.com/fail2ban/fail2ban/pull/303#discussion_r5687500 2013-08-09 17:54:08 +00:00			`^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$`
ENH: Tweak proftpd regex and add sample logs Needed to add optional ":" post __pid_re, and for consistency, decided to make use of __prefix_line instead which includes this. 2013-07-21 21:03:49 +00:00			`^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$`
			`^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$`
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request #1283304 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@458 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-12 14:52:36 +00:00
			`# Option: ignoreregex`
			`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
			`# Values: TEXT`
			`#`
- Defined default values in .conf. Should fix Debian bug #398758 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-15 18:44:28 +00:00			`ignoreregex =`