Menu

#10 support for vsftpd

closed-accepted
nobody
None
5
2006-02-16
2006-02-02
kaazoo
No

hi, here is a template that seems to work for me with
vsftpd:

[VSFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true

# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/vsftpd.log

# Option: fwstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
fwstart = iptables -N fail2ban-vsftpd
iptables -I INPUT -p tcp --dport ftp -j
fail2ban-vsftpd
iptables -A fail2ban-vsftpd -j RETURN

# Option: fwend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD Default:
#
fwend = iptables -D INPUT -p tcp --dport ftp -j
fail2ban-vsftpd
iptables -F fail2ban-vsftpd
iptables -X fail2ban-vsftpd

# Option: fwcheck
# Notes.: command executed once before each fwban command
# Values: CMD Default:
#
fwcheck = iptables -L INPUT | grep -q fail2ban-vsftpd

# Option: fwbanrule
# Notes.: command executed when banning an IP. Take
care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = iptables -I fail2ban-vsftpd 1 -s <ip> -j DROP

# Option: fwunbanrule
# Notes.: command executed when unbanning an IP. Take
care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = iptables -D fail2ban-vsftpd -s <ip> -j DROP

# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option: timepattern
# Notes.: format used in "timeregex" fields
definition. Note that '%' must be
# escaped with '%' (see
http://rgruet.free.fr/PQR2.3.html#timeModule\)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S

# Option: failregex
# Notes.: regex to match the password failures
messages in the logfile.
# Values: TEXT Default: Authentication
failure|Failed password|Invalid user
#
failregex = FAIL LOGIN

Discussion

  • Cyril Jaquier

    Cyril Jaquier - 2006-02-11

    Logged In: YES
    user_id=933467

    Thank you. Added to CVS. Will be in 0.6.1

     

  • Cyril Jaquier

    Cyril Jaquier - 2006-02-11
    • status: open --> closed-accepted
     

  • Harry Rarig

    Harry Rarig - 2006-02-15

    Logged In: YES
    user_id=930060

    Can you please show us what settings you used for the
    vsftpd server?

    In particular, can you display the settings you used
    for /etc/vsftpd/vsftpd.conf that enabled vsftpd to generate
    login failure messages with the correct timestamps in a
    format that could be recongnized by fail2ban?

    Much tnx!

    Harry

     

  • kaazoo

    kaazoo - 2006-02-15

    Logged In: YES
    user_id=1442281

    my vsftpd config is nothing special i think.

    my sw versions:

    sys-apps/iproute2 2.6.11.20050310-r1
    net-firewall/shorewall 2.4.2
    net-analyzer/fail2ban 0.6.0
    sys-kernel/gentoo-sources 2.6.12-r6
    net-ftp/vsftpd 2.0.3-r1

    when i try to login with ftp several times, my ip gets
    banned. or am i wrong?

    here is what fail2ban.log says:

    2006-02-15 14:54:21,801 INFO: VSFTPD: 89.53.40.xxx has 5
    login failure(s). Banned.
    2006-02-15 14:54:21,802 WARNING: VSFTPD: Ban 89.53.40.xxx

    here is the output of 'cat /etc/vsftpd.conf | grep -v "#"':

    background=YES
    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    connect_from_port_20=YES
    xferlog_enable=YES
    xferlog_file=/var/log/vsftpd.log
    nopriv_user=nobody
    chroot_list_enable=YES
    chroot_list_file=/etc/vsftpd/chroot_list
    chroot_local_user=YES

     

  • kaazoo

    kaazoo - 2006-02-15
    • status: closed-accepted --> open-accepted
     

  • Harry Rarig

    Harry Rarig - 2006-02-16

    Logged In: YES
    user_id=930060

    Much tnx for the configuration file info!

    This helped identify the culprit: The following
    configuration option:

    log_ftp_protocol=YES

    appears to cause some FTP Protocol commands to be logged in
    GMT instead of local time, which is inconsistent with all
    the other vsftpd logging that takes place. This behavior
    causes fail2ban to miss the authentication failures,
    because it is using the wrong timestamps. After dropping
    this option, fail2ban started working on my server as
    advertised!

    (The only downside is that my log files are missing the FTP
    file xfer info I wanted to log. I filed a bug report on
    http://freshmeat.net/projects/vsftpd/, hopefully this
    problem will be addressed by the vsftpd developers)

     

  • Cyril Jaquier

    Cyril Jaquier - 2006-02-16
    • status: open-accepted --> closed-accepted
     

Log in to post a comment.