On one CentOS 5.3 64-bit, the proftpd log lines have IP prefixed with "::ffff:", this seems to cause non detection of incorrect ftp login
(/etc/csf/regex.pm ?) :
Code: Select all
/var/log/secure (lfd detection does NOT work)
May 7 10:49:04 vmcentos64 proftpd[9810]: vmcentos64.example.com (::ffff:192.168.0.2[::ffff:192.168.0.2]) - USER xxx: no such user found from ::ffff:192.168.0.2 [::ffff:192.168.0.2] to ::ffff:192.168.0.100:21
May 7 10:49:06 vmcentos64 proftpd[9810]: vmcentos64.example.com (::ffff:192.168.0.2[::ffff:192.168.0.2]) - FTP session closed.
May 6 22:57:49 vmcentos64 proftpd[3772]: vmcentos64.example.com (::ffff:192.168.0.2[::ffff:192.168.0.2) - USER yyy (Login failed): Incorrect password.
Code: Select all
/var/log/secure (lfd detection works)
May 7 10:49:04 vmcentos64 proftpd[9810]: vmcentos64.example.com (192.168.0.2[192.168.0.2]) - USER xxx: no such user found from 192.168.0.2 [192.168.0.2] to 192.168.0.100:21
May 7 10:49:06 vmcentos64 proftpd[9810]: vmcentos64.example.com (192.168.0.2[192.168.0.2]) - FTP session closed.
May 6 22:57:49 vmcentos64 proftpd[3772]: vmcentos64.example.com (192.168.0.2[192.168.0.2) - USER yyy (Login failed): Incorrect password.
Could lfd be updated to take into account both IP formats ?
Or if unfortunately this cannot be done, how can I use custom.regex.pm to handle this? I am not very familiar with regular expressions
so if there are some snippet codes it would be welcome.
2)
Is there an explanation why does proftpd use "::ffff:" prefix?
Thank you.