From 9fb167b5e11530df0383aac858a17fcaf638a6aa Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 9 Sep 2016 09:14:29 +0200 Subject: [PATCH] filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543 --- ChangeLog | 3 +++ config/filter.d/vsftpd.conf | 2 +- fail2ban/tests/files/logs/vsftpd | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5f97c996..ff68bab8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,9 @@ releases. - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494) * `filter.d/postfix-sasl.conf` - Allow for having no trailing space after 'failed:' (gh-1497) +* `filter.d/vsftpd.conf` + - Optional reason part in message after FAIL LOGIN (gh-1543) + ### New Features diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 930b0d7e..2ecc44d3 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -14,7 +14,7 @@ __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ - ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client ""\s*$ + ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) ignoreregex = diff --git a/fail2ban/tests/files/logs/vsftpd b/fail2ban/tests/files/logs/vsftpd index bcd7f611..3205fac3 100644 --- a/fail2ban/tests/files/logs/vsftpd +++ b/fail2ban/tests/files/logs/vsftpd @@ -12,3 +12,6 @@ Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.9 # failJSON: { "time": "2004-10-23T21:15:42", "match": true , "host": "58.254.172.161" } Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=58.254.172.161 + +# failJSON: { "time": "2016-09-08T00:39:49", "match": true , "host": "192.0.2.1" } +Thu Sep 8 00:39:49 2016 [pid 15019] [guest] FAIL LOGIN: Client "::ffff:192.0.2.1", "User is not in the allow user list."