[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] Blocking ProFTP Brute Force Attacks on Centos Server ...
From: YUSUF CAKIR <yusuf () anatoliabt ! com>
Date: 2014-05-02 10:49:21
Message-ID: CF894F02.35175%yusuf () anatoliabt ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Dr. Mike and Amir,
Finally I used only this regex, and it worked for me.
*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - USER \S+: no such user found from
.*$
Thank you.
On 1.05.2014 17:39, "Dr. Mike Wendell" <theapparatus+fail2ban@gmail.com>
wrote:
> Greets:
>
> I royally suck at regex and I've really never dug into the scripting
> for fail2ban but why not just block on "no such user found from"?
> After 5 or 6 of those tries, you would think they should be blocked
> anyway....
>
> I'm assuming you are running a proftpd server on your box, right? If
> not, I'd just be blocking on that.
>
> Regards,
> -drmike
>
> On Wed, Apr 30, 2014 at 8:08 AM, YUSUF CAKIR <yusuf@anatoliabt.com> wrote:
>> Hello to All Fail2ban Users ;
>>
>> I am new on Fail2Ban and also I'm new on Regex.
>> I want to block brute force attacks to PROFTPD on my Centos server.
>> I have got secure log file in \var\log\secure.
>>
>> Now, I need REGEX expression.
>>
>> I tried this, but nothing happened :
>> USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
>>
>> My log file content like this :
>>
>> Apr 27 11:38:26 server proftpd[28668]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:27 server proftpd[28688]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:28 server proftpd[28696]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:31 server proftpd[28708]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:32 server proftpd[28722]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:34 server proftpd[28730]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:35 server proftpd[28732]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:36 server proftpd[28733]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:38 server proftpd[28734]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:39 server proftpd[28737]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>> Apr 27 11:38:40 server proftpd[28739]: 100.100.100.100
>> (113.21.228.78[113.21.228.78]) - USER test@test.com: no such user found from
>> 113.21.228.78 [113.21.228.78] to 100.100.100.100:21
>>
>>
>>
>> Thank you for your response.
>> Have a nice day …
>>
>>
>>
>>
----------------------------------------------------------------------------->>
-
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
[Attachment #5 (text/html)]
<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space; font-size: 14px;"><div><div style="color: \
rgb(0, 0, 0);"><font face="Courier">Hi Dr. Mike and Amir,</font></div><div><div \
style="color: rgb(0, 0, 0);"><font face="Courier"><br></font></div><div style="color: \
rgb(0, 0, 0);"><font face="Courier">Finally I used only this regex, and it worked for \
me.</font></div><div style="color: rgb(0, 0, 0);"><font \
face="Courier"><br></font></div><div><font color="#ff0000" \
face="Courier">*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - USER \S+: no such user \
found from .*$</font></div></div><div style="color: rgb(0, 0, 0);"><font \
face="Courier"><br></font></div><div style="font-family: Calibri, sans-serif; color: \
rgb(0, 0, 0);"><font face="Consolas,monospace">Thank you.</font></div><div \
style="font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><font \
face="Consolas,monospace"><br></font></div><div style="font-family: Consolas, \
monospace; color: rgb(0, 0, 0); font-size: 12px;"><br></div></div><div \
style="font-family: Consolas, monospace; color: rgb(0, 0, 0); font-size: \
12px;"><br></div><div style="font-family: Consolas, monospace; color: rgb(0, 0, 0); \
font-size: 12px;">On 1.05.2014 17:39, "Dr. Mike Wendell" <<a \
href="mailto:theapparatus+fail2ban@gmail.com">theapparatus+fail2ban@gmail.com</a>> \
wrote:</div><div style="font-family: Consolas, monospace; color: rgb(0, 0, 0); \
font-size: 12px;"><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" \
style="font-family: Consolas, monospace; color: rgb(0, 0, 0); font-size: 12px; \
border-left-color: rgb(181, 196, 223); border-left-width: 5px; border-left-style: \
solid; padding: 0px 0px 0px 5px; margin: 0px 0px 0px \
5px;"><div>Greets:</div><div><br></div><div>I royally suck at regex and I've really \
never dug into the scripting</div><div>for fail2ban but why not just block on "no \
such user found from"?</div><div>After 5 or 6 of those tries, you would think they \
should be blocked</div><div>anyway....</div><div><br></div><div>I'm assuming you are \
running a proftpd server on your box, right? If</div><div>not, I'd just be \
blocking on that.</div><div><br></div><div>Regards,</div><div>-drmike</div><div><br></div><div>On \
Wed, Apr 30, 2014 at 8:08 AM, YUSUF CAKIR <<a \
href="mailto:yusuf@anatoliabt.com">yusuf@anatoliabt.com</a>> \
wrote:</div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: \
#b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> Hello to All Fail2ban Users \
;</div><div><br></div><div> I am new on Fail2Ban and also I’m new on \
Regex.</div><div> I want to block brute force attacks to PROFTPD on my Centos \
server.</div><div> I have got secure log file in \
\var\log\secure.</div><div><br></div><div> Now, I need REGEX \
expression.</div><div><br></div><div> I tried this, but nothing happened :</div><div> \
USER \S+: no such user found from \S* ?\[<HOST>\] to \
\S+\s*$</div><div><br></div><div> My log file content like this \
:</div><div><br></div><div> Apr 27 11:38:26 server proftpd[28668]: \
100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:27 server \
proftpd[28688]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:28 server \
proftpd[28696]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:31 server \
proftpd[28708]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:32 server \
proftpd[28722]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:34 server \
proftpd[28730]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:35 server \
proftpd[28732]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:36 server \
proftpd[28733]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:38 server \
proftpd[28734]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:39 server \
proftpd[28737]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to 100.100.100.100:21</div><div> Apr 27 11:38:40 server \
proftpd[28739]: 100.100.100.100</div><div> (113.21.228.78[113.21.228.78]) - USER <a \
href="mailto:test@test.com">test@test.com</a>: no such user found from</div><div> \
113.21.228.78 [113.21.228.78] to \
100.100.100.100:21</div><div><br></div><div><br></div><div><br></div><div> Thank you \
for your response.</div><div> Have a nice day \
…</div><div><br></div><div><br></div><div> \
------------------------------------------------------------------------------</div><div> \
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE</div><div> \
Instantly run your Selenium tests across 300+ browser/OS \
combos. Get</div><div> unparalleled scalability from the best Selenium \
testing platform available.</div><div> Simple to use. Nothing to install. Get started \
now for free."</div><div> <a \
href="http://p.sf.net/sfu/SauceLabs">http://p.sf.net/sfu/SauceLabs</a></div><div> \
_______________________________________________</div><div> Fail2ban-users mailing \
list</div><div> <a href="mailto:Fail2ban-users@lists.sourceforge.net">Fail2ban-users@lists.sourceforge.net</a></div><div> \
<a href="https://lists.sourceforge.net/lists/listinfo/fail2ban-users">https://lists.so \
urceforge.net/lists/listinfo/fail2ban-users</a></div><div><br></div></blockquote><div><br></div></blockquote></body></html>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic