ProFTPd

From Fail2ban
Jump to: navigation, search

ProFTPd is an FTP server. It's promoted as stable and secure when configured properly. The ProFTPd server promotes itself as a "Highly configurable GPL-licensed FTP server software".

Proponents say that ProFTPd is well documented, and most configurations will be very similar to those of the example configurations. ProFTPd uses only one configuration file "/etc/proftpd.conf". The ProFTPd config file is very similar to Apache's config file. It can be used to configure multiple virtual FTP servers easily, and has chroot capabilities depending on the underlying filesystem. It can run as standalone server or inetd service. It's able to work over IPv6

From Wikipedia, the free encyclopedia



Example 1:

  • Jan 10 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username (Login failed): User in /etc/ftpusers
  • Feb 1 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username: no such user found from 123.123.123.123 [123.123.123.123] to 234.234.234.234:21

Example 2:

  • Dec 28 12:50:14 myhost proftpd[12345]: myhost.domain.com (123.123.123.123[123.123.123.123]) - no such user '<wrongUserName>'
  • Dec 28 12:50:14 myhost proftpd[12345]: myhost.domain.com (123.123.123.123[123.123.123.123]) - USER <wrongUserName>: no such user found from 123.123.123.123 [123.123.123.123] to 234.234.234.234:21


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.

Example 1:

  • USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

Example 2 (two lines):

\(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+.*$

\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password.*$