[BlueOnyx:00596] Re: fail2ban failregex statements
Jeff Folk
jfolk at qzoneinc.com
Fri Feb 20 22:52:39 -05 2009
On Feb 20, 2009, at 5:42 PM, Phil Hamer wrote:
> Hi.
>
> Will the failregex statements need to be changed for fail2ban?
>
> Has the format of the log files changed in BlueOnyx compared to
> those in BlueQuartz?
>
> If anyone has the failregex statements a copy would be appreciated.
> I hate writing those!
>
> Kind Regards
>
> Phil Hamer.
SSH worked for me "out of the box":
sshd.conf
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure
for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?:
port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from
<HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed
because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=
\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN
ATTEMPT\s*$
ProFTPd - I copied over the two lines I was using in BlueQuartz:
proftpd.conf
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from
\S+ \[\S+\] to \S+:\S+$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\):
Incorrect password\.$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login
attempted\.$
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\)
exceeded$
\(\S+\[<HOST>\]\) - USER \S+ \(Login failed\):$
USER \S+: no such user found from \S* ?\[<HOST>\] to \S+
\s*$
I'm looking for something that actually works with regards to Dovecot
brute force attacks...
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20090220/2c1266b2/attachment.html>
More information about the Blueonyx
mailing list