Regexp: ProFTPD auth-logs

Question

I've configurated ProFTPD to log all authentifications on a Plesk powered server. This setting is not set by default since Plesk 10 (whyever...). I want to configure fail2ban, to detect unsuccessful login-attempts for Brute Force prevention.

/etc/proftpd.include:

ExtendedLog         /var/log/proftpd/auth.log AUTH auth 
LogFormat           auth "%v [%h] %s"

Example of unsuccessfull login (530):

/var/log/proftpd/auth.log:

ProFTPD [12.89.47.3] 331
ProFTPD [12.89.47.3] 530

What's the correct regexp for fail2ban ? My configuration seems not to match the pattern:

/etc/fail2ban/filter.d/proftpd.conf:

failregex = ProFTPD(.)+\[<HOST>\] 530$

<HOST> seems to be a fail2ban variable, and $ ends up a rule (if you want to set several rules inside the failregex = variable).

Answer 1

For me the following is working on Plesk 10.4.

proftpd.include:

ExtendedLog         /var/log/proftpd/auth.log AUTH auth
LogFormat           auth "%v %t \"%r\" [%h] %s"

/etc/fail2ban/filter.d/proftpd.conf:

failregex = \[<HOST>\]\s+530$