on my jail.local
---------------------
banaction = iptables

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"]

[vsftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /media/log/logftp/vsftpd.log
maxretry = 2

on log vsftpd
-----------------
root@PCrouter:/media/log/logftp# cat vsftpd.log 
Mon Mar 26 14:01:11 2012 [pid 2] CONNECT: Client "172.16.30.2"
Mon Mar 26 14:01:12 2012 [pid 1] [sfse] FAIL LOGIN: Client "172.16.30.2"
Mon Mar 26 14:01:16 2012 [pid 2] CONNECT: Client "172.16.30.2"
Mon Mar 26 14:01:18 2012 [pid 1] [sfse] FAIL LOGIN: Client "172.16.30.2"
Mon Mar 26 14:01:22 2012 [pid 2] CONNECT: Client "172.16.30.2"
Mon Mar 26 14:01:24 2012 [pid 1] [sfse] FAIL LOGIN: Client "172.16.30.2"

i did test with fail2ban-regex. and the result
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/vsftpd.conf
Use log file   : /media/log/logftp/vsftpd.log
Results =======
Failregex
|- Regular expressions:
|  [1] vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .*
rhost=<HOST>(?:\s+user=\S*)?\s*$
|  [2] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
|
`- Number of matches:
    [1] 0 match(es)
    [2] 3 match(es)
Ignoreregex
|- Regular expressions:
| `- Number of matches:
Summary
=======
Addresses found:
[1]
[2]
     172.16.30.2 (Mon Mar 26 14:01:12 2007)
     172.16.30.2 (Mon Mar 26 14:01:18 2007)
     172.16.30.2 (Mon Mar 26 14:01:24 2007)
Date template hits:
15 hit(s): MONTH Day Hour:Minute:Second
Success, the total number of match is 3

but in the iptables don't banned the IP
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
fail2ban-vsftpd  tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data,ftps,ftps-data

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain fail2ban-vsftpd (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere


Dari: Rudy Rinaldi <rudy_pcrti@yahoo.com>
Kepada: "fail2ban-users@lists.sourceforge.net" <fail2ban-users@lists.sourceforge.net>
Dikirim: Senin, 26 Maret 2012 23:07
Judul: [Fail2ban-users] Bls: Bls: please help me

on my jail.local
---------------------
banaction = iptables

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"]

[vsftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /media/log/logftp/vsftpd.log
maxretry = 2

on log vsftpd
-----------------
root@PCrouter:/media/log/logftp# cat vsftpd.log  Mon Mar 26 14:01:11 2012 [pid 2] CONNECT: Client "172.16.30.2" Mon Mar 26 14:01:12 2012 [pid 1] [sfse] FAIL LOGIN: Client "172.16.30.2" Mon Mar 26 14:01:16 2012 [pid 2] CONNECT: Client "172.16.30.2" Mon Mar 26 14:01:18 2012 [pid 1] [sfse] FAIL LOGIN: Client "172.16.30.2" Mon Mar 26 14:01:22 2012 [pid 2] CONNECT: Client "172.16.30.2" Mon Mar 26 14:01:24 2012 [pid 1] [sfse] FAIL LOGIN: Client "172.16.30.2"

i did test with fail2ban-regex. and the result
Running tests
============= Use regex file : /etc/fail2ban/filter.d/vsftpd.conf Use log file   : /media/log/logftp/vsftpd.log
Results ======= Failregex |- Regular expressions: |  [1] vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ |  [2] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$ | `- Number of matches:    [1] 0 match(es)    [2] 3 match(es) Ignoreregex |- Regular expressions: | `- Number of matches:
Summary ======= Addresses found: [1] [2]     172.16.30.2 (Mon Mar 26 14:01:12 2007)     172.16.30.2 (Mon Mar 26 14:01:18 2007)     172.16.30.2 (Mon Mar 26 14:01:24 2007)
Date template hits: 15 hit(s): MONTH Day Hour:Minute:Second
Success, the total number of match is 3

but in the iptables don't banned the IP
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
fail2ban-vsftpd  tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data,ftps,ftps-data

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain fail2ban-vsftpd (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere


Dari: Yaroslav Halchenko <lists@onerussian.com>
Kepada: Rudy Rinaldi <rudy_pcrti@yahoo.com>
Dikirim: Senin, 26 Maret 2012 22:55
Judul: Re: Bls: [Fail2ban-users] please help me

come on Rudy -- how you expecting anyone to give you the solution
if you are providing NO information on your setup, no logs (from
fail2ban etc), etc.

also -- please do not email me directly, but post them on the list

On Mon, 26 Mar 2012, Rudy Rinaldi wrote:

>    i've configured fail2ban on firewall,but there's no action on fail2ban
>    after performing a log file checker in shared from each server.
>    please give me the solution..

>    --------------------------------------------------------------------------

>    Dari: Yaroslav Halchenko <lists@onerussian.com>
>    Kepada: fail2ban-users@lists.sourceforge.net
>    Dikirim: Senin, 26 Maret 2012 21:51
>    Judul: Re: [Fail2ban-users] please help me
>    well -- my answer would be "Yes (I guess)" ;)

>    On Mon, 26 Mar 2012, Rudy Rinaldi wrote:

>    >    �i want to ask about fail2ban
>    >    �Is fail2ban should be installed on each service?(ex:vsftpd,ssh,etc)
>    >    �i've 3 server like ssh, ftp, and web.
>    >    �if i install fail2ban on firewall, can it protect that servers?
>    >    �I've shared log files on each server using NFS
--
Yaroslav O. Halchenko
Postdoctoral Fellow,  Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                      Fax: +1 (603) 646-1419
WWW:  http://www.linkedin.com/in/yarik       



------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users