[Logcheck-devel] [PATCH] Added "@" to proftpd "no such user" rules, to catch anonymous at foo.bar

Thu Jan 24 08:44:45 UTC 2008

Signed-off-by: Frédéric Brière <fbriere at fbriere.net>
---
 rulefiles/linux/ignore.d.server/proftpd |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rulefiles/linux/ignore.d.server/proftpd b/rulefiles/linux/ignore.d.server/proftpd
index 2c08335..430bed7 100644
--- a/rulefiles/linux/ignore.d.server/proftpd
+++ b/rulefiles/linux/ignore.d.server/proftpd
@@ -7,9 +7,9 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) ANON (anonymous|ftp): Login successful.$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) mod_delay/[0-9.]+: delaying for [0-9]+ usecs$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) FTP ((login|session) timed out|no transfer timeout), disconnected$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER [-_.[:alnum:]]+: no such user found from [.:_[:alnum:]-]+ \[[.:[:xdigit:]]+\] to [.:[:xdigit:]]+:[[:digit:]]{2,5}$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER [-_.@[:alnum:]]+: no such user found from [.:_[:alnum:]-]+ \[[.:[:xdigit:]]+\] to [.:[:xdigit:]]+:[[:digit:]]{2,5}$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Maximum login attempts \([[:digit:]]+\) exceeded$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) no such user '[-_.[:alnum:]]+'$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) no such user '[-_.@[:alnum:]]+'$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) notice: user ftp: aborting transfer: Data connection closed\.
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+( \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\))?(:| -) error setting IPV6_V6ONLY: Protocol not available$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+( \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\))?(:| -) Preparing to chroot to directory '[-/._[:alnum:]]+'$
-- 
1.5.3.8



