Could someone point me in the right direction because I feel quite lost.
I have tried to search for an example or clue on this forum and Google. But I can't find a working custom regex.
I'm on a Debian server with DirectAdmin
The following is found in /var/log/proftpd/auth.log
ProFTPd [7098] 123.123.123.123 [10/Feb/2015:15:00:05 +0100] "PASS (hidden)" 530
Since this format is not caught by default I have tried to create a custom regex
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^ProFTPd \[\d+\] \d+.\d+.\d+.\d+ \[\d+\/\S+\/\d+:\d+:\d+\:\d+ \+\d+\] \"PASS \(hidden\)\" 530/)) {
return ("Failed FTP login from",$1,"myftpmatch","3","21","1");
}
The regex string catches the log string on various regex online tools. So as far I understand it should be ok.
In config file /etc/csf/csf.conf
LP_TRIGGER=0
CUSTOM2_LOG is set to /var/log/proftpd/auth.log
Any ideas?
Regex ProFtpd 530 DA -Solved
Regex ProFtpd 530 DA -Solved
Last edited by laban1971 on 11 Feb 2015, 21:33, edited 1 time in total.
Re: Regex ProFtpd 530 DA
Try:
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^ProFTPd \[\d+\] (\S+) \[\d+\/\S+\/\d+:\d+:\d+\:\d+ \+\d+\] \"PASS \(hidden\)\" 530/)) {
return ("Failed FTP login from",$1,"myftpmatch","3","21","1");
}
$1 = (\S+), the $1 will be 123.123.123.123 and that's the IP that will be blocked.
Sergio
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^ProFTPd \[\d+\] (\S+) \[\d+\/\S+\/\d+:\d+:\d+\:\d+ \+\d+\] \"PASS \(hidden\)\" 530/)) {
return ("Failed FTP login from",$1,"myftpmatch","3","21","1");
}
$1 = (\S+), the $1 will be 123.123.123.123 and that's the IP that will be blocked.
Sergio
Re: Regex ProFtpd 530 DA
Yes! It did the trick!
Thank you so much Sergio!
Thank you so much Sergio!
Re: Regex ProFtpd 530 DA -Solved
Your welcome.
Regards.
Regards.