From 1e06ab68b4eba5391b78c5da8fbd5d062a965376 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 4 Mar 2025 13:47:59 +0100 Subject: [PATCH] fixed filter (new regex is unneeded), tests format of failures produced by system journal --- config/filter.d/vsftpd.conf | 3 +-- fail2ban/tests/files/logs/vsftpd | 6 ++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 44646086..859a67c3 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -14,8 +14,7 @@ __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ - ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) - ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]) vsftpd\[\d+\]: \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) + ^(?:\s*\[pid \d+\] |%(__prefix_line)s)\[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) ignoreregex = diff --git a/fail2ban/tests/files/logs/vsftpd b/fail2ban/tests/files/logs/vsftpd index 747cb6e1..ab51fd75 100644 --- a/fail2ban/tests/files/logs/vsftpd +++ b/fail2ban/tests/files/logs/vsftpd @@ -16,5 +16,7 @@ Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logna # failJSON: { "time": "2016-09-08T00:39:49", "match": true , "host": "192.0.2.1" } Thu Sep 8 00:39:49 2016 [pid 15019] [guest] FAIL LOGIN: Client "::ffff:192.0.2.1", "User is not in the allow user list." -# systemd-journal -2025-03-04T01:06:36.645577 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1658]: [username] FAIL LOGIN: Client "121.251.18.222" +# fileOptions: {"logtype": "journal"} + +# failJSON: { "match": true , "host": "192.0.2.222" } +2025-03-04T01:06:36.645577 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1658]: [username] FAIL LOGIN: Client "192.0.2.222"