fail2ban/config/filter.d/vsftpd.conf

# Fail2Ban filter for vsftp
#
# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
# incoming ip address rather than domain names.

[INCLUDES]

before = common.conf

[Definition]

__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
_daemon =  vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

ignoreregex = 

# Author: Cyril Jaquier
# Documentation from fail2ban wiki
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter for vsftp`
- Added header git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@254 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-07-17 19:26:14 +00:00			`#`
DOC: filter.d/vsftpd doco from wiki 2014-01-05 00:30:56 +00:00			`# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch`
			`# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the`
			`# incoming ip address rather than domain names.`
- Added header git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@254 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-07-17 19:26:14 +00:00
ENH: filter.d/vsftpd - pam regex as syslog and anchored at start 2013-10-05 10:01:43 +00:00			`[INCLUDES]`

			`before = common.conf`

- 0.7.0 soon git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@251 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-07-16 21:35:08 +00:00			`[Definition]`

ENH: filter.d/vsftpd - pam regex as syslog and anchored at start 2013-10-05 10:01:43 +00:00			`__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?`
			`_daemon = vsftpd`

FIX: vsftp improvements from Rich Mellor on mailing list 2013-10-25 22:51:25 +00:00			`failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.)?\s$`
ENH: filter.d/vsftpd anchor internal regex at start 2013-10-05 09:47:47 +00:00			`^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$`
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request #1283304 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@458 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-12 14:52:36 +00:00
- Defined default values in .conf. Should fix Debian bug #398758 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-15 18:44:28 +00:00			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00
			`# Author: Cyril Jaquier`
DOC: filter.d/vsftpd doco from wiki 2014-01-05 00:30:56 +00:00			`# Documentation from fail2ban wiki`