ConfigServer Community Forum

Code: Select all

root@lamnk:/var/log# grep vsftpd /var/log/secure

Sep 23 07:16:13 lamnk vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep 23 07:16:13 lamnk vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=123.189.26.74 
Sep 23 07:16:13 lamnk vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user admin
Sep 23 07:16:14 lamnk vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep 23 07:16:14 lamnk vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=123.189.26.74 
Sep 23 07:16:14 lamnk vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user test
Sep 23 07:16:16 lamnk vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep 23 07:16:16 lamnk vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web rhost=123.189.26.74 
Sep 23 07:16:16 lamnk vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user web

Code: Select all

if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($line =~ /^\w+ \d{2} \d{2}:\d{2}:\d{2} (\S+) vsftpd: pam_unix\(vsftpd:auth\): authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=(\S*)\s+rhost=(\S+)\s+/)) {
        $host = $1; $ip = $2; $acc = $3; $ip =~ s/^::ffff://;
        if (&checkip($ip)) {
                return ("Failed FTP login on", $host, "from",$ip, " | ", $acc,"vsftpd")
        } else {
                return
        }
}