hi, here is a template that seems to work for me with
vsftpd:
[VSFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/vsftpd.log
# Option: fwstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
fwstart = iptables -N fail2ban-vsftpd
iptables -I INPUT -p tcp --dport ftp -j
fail2ban-vsftpd
iptables -A fail2ban-vsftpd -j RETURN
# Option: fwend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD Default:
#
fwend = iptables -D INPUT -p tcp --dport ftp -j
fail2ban-vsftpd
iptables -F fail2ban-vsftpd
iptables -X fail2ban-vsftpd
# Option: fwcheck
# Notes.: command executed once before each fwban command
# Values: CMD Default:
#
fwcheck = iptables -L INPUT | grep -q fail2ban-vsftpd
# Option: fwbanrule
# Notes.: command executed when banning an IP. Take
care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = iptables -I fail2ban-vsftpd 1 -s <ip> -j DROP
# Option: fwunbanrule
# Notes.: command executed when unbanning an IP. Take
care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = iptables -D fail2ban-vsftpd -s <ip> -j DROP
# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields
definition. Note that '%' must be
# escaped with '%' (see
http://rgruet.free.fr/PQR2.3.html#timeModule\)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures
messages in the logfile.
# Values: TEXT Default: Authentication
failure|Failed password|Invalid user
#
failregex = FAIL LOGIN
Logged In: YES
user_id=933467
Thank you. Added to CVS. Will be in 0.6.1
Logged In: YES
user_id=930060
Can you please show us what settings you used for the
vsftpd server?
In particular, can you display the settings you used
for /etc/vsftpd/vsftpd.conf that enabled vsftpd to generate
login failure messages with the correct timestamps in a
format that could be recongnized by fail2ban?
Much tnx!
Harry
Logged In: YES
user_id=1442281
my vsftpd config is nothing special i think.
my sw versions:
sys-apps/iproute2 2.6.11.20050310-r1
net-firewall/shorewall 2.4.2
net-analyzer/fail2ban 0.6.0
sys-kernel/gentoo-sources 2.6.12-r6
net-ftp/vsftpd 2.0.3-r1
when i try to login with ftp several times, my ip gets
banned. or am i wrong?
here is what fail2ban.log says:
2006-02-15 14:54:21,801 INFO: VSFTPD: 89.53.40.xxx has 5
login failure(s). Banned.
2006-02-15 14:54:21,802 WARNING: VSFTPD: Ban 89.53.40.xxx
here is the output of 'cat /etc/vsftpd.conf | grep -v "#"':
background=YES
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
nopriv_user=nobody
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES
Logged In: YES
user_id=933467
Local time problem seems to be related to chroot. A
"etc/localtime" file needs to be present in the chrooted
environnement. Please look at:
http://groups.google.com/group/novell.support.suse.linux.enterprise-server/browse_thread/thread/17d3ff88e32465fd/74b6b7ab9612f231?lnk=st&q=vsftpd+localtime&rnum=1&hl=en#74b6b7ab9612f231
Logged In: YES
user_id=930060
Much tnx for the configuration file info!
This helped identify the culprit: The following
configuration option:
log_ftp_protocol=YES
appears to cause some FTP Protocol commands to be logged in
GMT instead of local time, which is inconsistent with all
the other vsftpd logging that takes place. This behavior
causes fail2ban to miss the authentication failures,
because it is using the wrong timestamps. After dropping
this option, fail2ban started working on my server as
advertised!
(The only downside is that my log files are missing the FTP
file xfer info I wanted to log. I filed a bug report on
http://freshmeat.net/projects/vsftpd/, hopefully this
problem will be addressed by the vsftpd developers)