Log Entry: note I've replaced my IP with aa.bb.cc.dd
May 8 09:15:10 mail proftpd: localhost (purple.srv2.com[::ffff:126.96.36.199]) - USER
administrator: no such user found from purple.srv2.com [::ffff:188.8.131.52] to
failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to
basically the failregex is a regular expression that will match the line you're looking for
in the log file and uses to retrieve the offending IP.
I then have the following in my jail.conf:
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6
bantime = 3600
filter: Tells fail2ban which filter regex to use
action: fail2ban to use iptables to implement any blocks and emails me whois data for the
logpath: the logfile to monitor
maxretry: how many times to match the IP in the log file before action is taken, remember
people make mistakes so a user could put the wrong password in a couple of times.
bantime: the length of time the ban will be implemented for in seconds.
Thanks very much.