From 8614ca8c41a0d868f0d54d219666374216fb70d4 Mon Sep 17 00:00:00 2001
From: Shane Forsythe <2287983+shaneforsythe@users.noreply.github.com>
Date: Tue, 2 Oct 2018 17:24:33 -0400
Subject: [PATCH] Update proftpd.conf

proftpd 1.3.5e can leave inconsistent error message if ftp or mod_sftp is used

Oct  2 15:45:31 ftp01 proftpd[5516]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted
Oct  2 15:45:44 ftp01 proftpd[5517]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted.

Fix regex to make trailing period optional, otherwise brute force attacks against root account using ftp are not blocked correctly.
---
 config/filter.d/proftpd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf
index 303be5e5..feb59f11 100644
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@@ -18,7 +18,7 @@ __suffix_failed_login = (User not authorized for login|No such user found|Incorr
 
 failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
             ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
-            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
+            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\.? *$
             ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
 
 ignoreregex =