proftpd failed attempts are not blocked in DA

nsc · Post by **nsc** » 16 Sep 2015, 12:17

Here is the snippet from /var/log/secure

Sep 16 10:57:47 s3 proftpd[813674]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:57:54 s3 proftpd[813766]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:57:58 s3 proftpd[813980]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:01 s3 proftpd[814166]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:05 s3 proftpd[814293]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:09 s3 proftpd[814384]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:12 s3 proftpd[814530]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:16 s3 proftpd[814630]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:19 s3 proftpd[814721]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:22 s3 proftpd[814846]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:26 s3 proftpd[814933]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password
Sep 16 10:58:29 s3 proftpd[815019]: 10.10.10.10 (119.18.153.66[119.18.153.66]) - USER admin (Login failed): Incorrect password

This is the line in regex.pm that should block it.

Code: Select all

       if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - USER (\S*) \(Login failed\): Incorrect password\./)) {
        $ip = $2; $acc = $4; $ip =~ s/^::ffff://; $acc =~ s/:$//g;
                if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
        }

The problem is that regex fail because of the "." at the end. /var/log/secure doesn't have dot at the end, but regex has.

BlurryF · Post by **BlurryF** » 13 May 2017, 18:14

Code: Select all

May 13 12:09:55 data proftpd[23748]: data.lk1.net (112.134.65.60[112.134.65.60]) - USER leo (Login failed): Incorrect password
May 13 12:10:02 data proftpd[23752]: data.lk1.net (112.134.65.60[112.134.65.60]) - USER leo (Login failed): Incorrect password
May 13 12:10:09 data proftpd[23753]: data.lk1.net (112.134.65.60[112.134.65.60]) - USER leo (Login failed): Incorrect password
May 13 12:13:58 data proftpd[23825]: data.lk1.net (112.134.65.60[112.134.65.60]) - USER caca: no such user found from 112.134.65.60 [112.134.65.60] to 63.142.248.96:21
May 13 12:14:04 data proftpd[23829]: data.lk1.net (112.134.65.60[112.134.65.60]) - USER caca: no such user found from 112.134.65.60 [112.134.65.60] to 63.142.248.96:21

They've updated the format.
Anyone can share a working regex?

ConfigServer Community Forum

proftpd failed attempts are not blocked in DA

proftpd failed attempts are not blocked in DA

Re: proftpd failed attempts are not blocked in DA