Bug#468477: proftpd from sid uses slightly different log messages

Fri, 29 Feb 2008 01:47:39 -0800 

Package: fail2ban
Version: 0.8.1-4
Severity: normal
Tags: patch

Hi,

It seems that Sid's version of proftpd has some changes to the logging
compared to Etch.

First, it now uses /var/log/auth.log instead of
/var/log/proftpd/proftpd.log. That would require changing jail.conf and
I am not sure how to make this compatible with older proftpd.

Second, the log messages are a bit different. Here are the current
patterns:
  failregex = \(\S+\[<HOST>\]\): USER \S+: no such user found from \S+ 
\[[0-9.]+\] to \S+:\S+$
              \(\S+\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect 
password\.$
              \(\S+\[<HOST>\]\): SECURITY VIOLATION: \S+ login attempted\.$
              \(\S+\[<HOST>\]\): Maximum login attempts \(\d+\) exceeded$

Changes:

  1. new proftpd no longer uses ": ", but " - " between the host and the
  error message.

  2. The maximum login attempts message now has ", connection refused"
  appended

  3. the "no such user" pattern after the \S+ supports only "bare" IPv4,
  while proftpd now uses ::ffff:... for that.

Here are patterns that should work both on etch and sid:

failregex = \(\S+\[<HOST>\]\)(?::| -) USER \S+: no such user found from \S+ \S+ 
to \S+:\S+$
            \(\S+\[<HOST>\]\)(?::| -) USER \S+ \(Login failed\): Incorrect 
password\.$
            \(\S+\[<HOST>\]\)(?::| -) SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)(?::| -) Maximum login attempts \(\d+\) 
exceeded(?:, connection refused )?$


I wonder, is it possible to move jail/filter configuration from fail2ban
to the respective packages?


Thanks in advance,
    dam

-- System Information:
Debian Release: lenny/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 
'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.1-24     Linux Standard Base 3.1 init scrip
ii  python                        2.4.4-6    An interactive high-level object-o
ii  python-central                0.5.15-0.1 register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.0-3    administration tools for packet fi

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to