Regex ProFtpd 530 DA -Solved

Post Reply
laban1971
Junior Member
Posts: 5
Joined: 10 Feb 2015, 14:35

Regex ProFtpd 530 DA -Solved

Post by laban1971 »

Could someone point me in the right direction because I feel quite lost.
I have tried to search for an example or clue on this forum and Google. But I can't find a working custom regex.

I'm on a Debian server with DirectAdmin

The following is found in /var/log/proftpd/auth.log
ProFTPd [7098] 123.123.123.123 [10/Feb/2015:15:00:05 +0100] "PASS (hidden)" 530

Since this format is not caught by default I have tried to create a custom regex

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^ProFTPd \[\d+\] \d+.\d+.\d+.\d+ \[\d+\/\S+\/\d+:\d+:\d+\:\d+ \+\d+\] \"PASS \(hidden\)\" 530/)) {

return ("Failed FTP login from",$1,"myftpmatch","3","21","1");

}

The regex string catches the log string on various regex online tools. So as far I understand it should be ok.

In config file /etc/csf/csf.conf
LP_TRIGGER=0
CUSTOM2_LOG is set to /var/log/proftpd/auth.log

Any ideas?
Last edited by laban1971 on 11 Feb 2015, 21:33, edited 1 time in total.
Sergio
Junior Member
Posts: 1714
Joined: 12 Dec 2006, 14:56

Re: Regex ProFtpd 530 DA

Post by Sergio »

Try:

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^ProFTPd \[\d+\] (\S+) \[\d+\/\S+\/\d+:\d+:\d+\:\d+ \+\d+\] \"PASS \(hidden\)\" 530/)) {
return ("Failed FTP login from",$1,"myftpmatch","3","21","1");
}
$1 = (\S+), the $1 will be 123.123.123.123 and that's the IP that will be blocked.

Sergio
laban1971
Junior Member
Posts: 5
Joined: 10 Feb 2015, 14:35

Re: Regex ProFtpd 530 DA

Post by laban1971 »

Yes! It did the trick!

Thank you so much Sergio!
Sergio
Junior Member
Posts: 1714
Joined: 12 Dec 2006, 14:56

Re: Regex ProFtpd 530 DA -Solved

Post by Sergio »

Your welcome.

Regards.
Post Reply