ConfigServer Community Forum

The regex above don't catch log line if contains hostname is present instead of IP address. 2015-05-18 11:56:21,583 server.xxx.xxx proftpd[5041] server.xxx.xxx (j-G0-0-4-102-gacc03.sls.embratel.net.br[112.111.191.237]): USER oneuser: no such user found from 112.111.191.237 [112.111.191.237] to ::fff...

Ok, looks like I finally got the regex right. This regex .* \S+ proftpd\[\d+\] \S+ \([^\[]+\[(\S+)\]\): USER \S+ no such user found from catches 2015-05-18 11:56:21,583 server.xxx.xxx proftpd[5041] server.xxx.xxx (112.111.191.237[112.111.191.237]): USER oneuser: no such user found from 112.111.191.2...

Hi, I can't figure out why these proftpd login attempts are not blocked. Snippet from /var/log/proftpd/proftpd.log 2015-05-18 11:56:02,688 server.xxx.xxx proftpd[5035] server.xxx.xxx (2002:706f:bfed::706f:bfed[2002:706f:bfed::706f:bfed]): USER valid_user (Login failed): Incorrect password 2015-05-18...

Yes! It did the trick!

Thank you so much Sergio!

Could someone point me in the right direction because I feel quite lost. I have tried to search for an example or clue on this forum and Google. But I can't find a working custom regex. I'm on a Debian server with DirectAdmin The following is found in /var/log/proftpd/auth.log ProFTPd [7098] 123.123...