fail2ban/config/filter.d/proftpd.conf

# Fail2Ban filter for the Proftpd FTP daemon
#
# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
# See: http://www.proftpd.org/docs/howto/DNS.html
# When the default locale for your system is not en_US.UTF-8
# on Debian-based systems be sure to add this to /etc/default/proftpd
# export LC_TIME="en_US.UTF-8"

[INCLUDES]

before = common.conf

[Definition]

_daemon = proftpd

__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)


prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$


failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
            ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
            ^Maximum login attempts \(\d+\) exceeded

ignoreregex = 

[Init]
journalmatch = _SYSTEMD_UNIT=proftpd.service

# Author: Yaroslav Halchenko
#         Daniel Black - hardening of regex
typo 2020-04-04 00:38:17 +00:00			`# Fail2Ban filter for the Proftpd FTP daemon`
added sections for sasl and proftpd authentications git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@402 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-02 13:42:36 +00:00			`#`
BF/DOC: fix filename in documentation for filter.d/proftpd 2013-12-09 03:46:01 +00:00			`# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.`
DOC: proftp - turn off ReverseDNS 2013-12-09 03:45:09 +00:00			`# See: http://www.proftpd.org/docs/howto/DNS.html`
Non-US locale warning for proftpd 2015-04-06 15:04:41 +00:00			`# When the default locale for your system is not en_US.UTF-8`
Update proftpd.conf 2015-04-08 13:57:39 +00:00			`# on Debian-based systems be sure to add this to /etc/default/proftpd`
Non-US locale warning for proftpd 2015-04-06 15:04:41 +00:00			`# export LC_TIME="en_US.UTF-8"`
ENH: proftp regex hardening and log messages 2013-06-13 12:11:05 +00:00
			`[INCLUDES]`

			`before = common.conf`

added sections for sasl and proftpd authentications git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@402 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-02 13:42:36 +00:00			`[Definition]`

BF: fix daemon name typo for filter proftpd 2013-09-17 21:32:26 +00:00			`_daemon = proftpd`
ENH: Improve proftpd regex. Taken from @yarikoptic comment: https://github.com/fail2ban/fail2ban/pull/303#discussion_r5687500 2013-08-09 17:54:08 +00:00
Merge branch '0.9' into 0.10 (gh-2246) 2020-03-18 15:11:53 +00:00			`__suffix_failed_login = ([uU]ser not authorized for login\|[nN]o such user found\|[iI]ncorrect password\|[pP]assword expired\|[aA]ccount disabled\|[iI]nvalid shell: '\S+'\|[uU]ser in \S+\|[lL]imit (access\|configuration) denies login\|[nN]ot a UserAlias\|[mM]aximum login length exceeded)`
BF: fix daemon name typo for filter proftpd 2013-09-17 21:32:26 +00:00
Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 14:54:59 +00:00
Merge branch '0.9' into 0.10 (gh-2246) 2020-03-18 15:11:53 +00:00			`prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER\|SECURITY\|Maximum) .+</F-CONTENT>$`
Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 14:54:59 +00:00

Merge branch '0.9' into 0.10 (gh-2246) 2020-03-18 15:11:53 +00:00			`failregex = ^USER <F-USER>\S+\|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s`
			`^SECURITY VIOLATION: <F-USER>\S+\|.*?</F-USER> login attempted`
			`^Maximum login attempts \(\d+\) exceeded`
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request #1283304 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@458 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-12 14:52:36 +00:00
- Defined default values in .conf. Should fix Debian bug #398758 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-15 18:44:28 +00:00			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00
filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613) 2017-06-30 16:00:01 +00:00			`[Init]`
			`journalmatch = _SYSTEMD_UNIT=proftpd.service`

DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Author: Yaroslav Halchenko`
			`# Daniel Black - hardening of regex`