ConfigServer Community Forum

Hi,
I can't figure out why these proftpd login attempts are not blocked.

Snippet from /var/log/proftpd/proftpd.log

2015-05-18 11:56:02,688 server.xxx.xxx proftpd[5035] server.xxx.xxx (2002:706f:bfed::706f:bfed[2002:706f:bfed::706f:bfed]): USER valid_user (Login failed): Incorrect password

2015-05-18 11:56:21,583 server.xxx.xxx proftpd[5041] server.xxx.xxx (112.111.191.237[112.111.191.237]): USER oneuser: no such user found from 112.111.191.237 [112.111.191.237] to ::ffff:123.123.123.123:21


Any ideas? What have I missed?

LF_FTPD = 5

FTPD_LOG = /var/log/proftpd/proftpd.log

Is it the timestamp format that causes the problem? YYYY-MM-DD HH:MM:SS,xxx

I tried a custom regex but that didn't work. ^.* \S+ proftpd\[\d+\] \S+ (\S+[\S+])?:? USER (\S*) no such user found from .*

Any ideas are welcome!

Ok, looks like I finally got the regex right.

This regex

.* \S+ proftpd\[\d+\] \S+ \([^\[]+\[(\S+)\]\): USER \S+ no such user found from

catches

2015-05-18 11:56:21,583 server.xxx.xxx proftpd[5041] server.xxx.xxx (112.111.191.237[112.111.191.237]): USER oneuser: no such user found from 112.111.191.237 [112.111.191.237] to ::ffff:123.123.123.123:21

Hope it helps some one!

The regex above don't catch log line if contains hostname is present instead of IP address.

2015-05-18 11:56:21,583 server.xxx.xxx proftpd[5041] server.xxx.xxx (j-G0-0-4-102-gacc03.sls.embratel.net.br[112.111.191.237]): USER oneuser: no such user found from 112.111.191.237 [112.111.191.237] to ::ffff:123.123.123.123:21

This modified regex works better.

.* \S+ proftpd\[\d+\] \S+ \(\S+\[(\S+)\]\): USER \S+ no such user found from