Re: [Fail2ban-users] vsftpd date parsing error

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Dave,

Try this REGEX change in /usr/share/fail2ban/server/datedetector.py =
(well, at least it worked for me on March  3!):

[mojo@birch server]$ pwd
/usr/share/fail2ban/server
[mojo@birch server]$
[mojo@birch server]$ diff datedetector.py.orig datedetector.py
54c54
<               template.setRegex("\S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} =
\d{4}")
---
>               template.setRegex("\S{3} \S{3}\s{1,2}\d{1,2} =
\d{2}:\d{2}:\d{2} \d{4}")
[mojo@birch server]$

Harry

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Notes from my README.fail2ban install...

# How to test fail2ban regex matches
[root@birch filter.d]# tail -4  /var/log/vsftpd.log > /tmp/foo.log
[root@birch filter.d]# fail2ban-regex  /tmp/foo.log vsftpd.conf

Running tests
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Use regex file : vsftpd.conf
Use log file   : /tmp/foo.log

Found a match but no valid date/time found for Sat Mar  3 09:54:23 2007 =
[pid 14186] [mojo] FAIL LOGIN: Client "72.9.234.170"
. Please contact the author in order to get support for this format
Found a match but no valid date/time found for Sat Mar  3 09:54:34 2007 =
[pid 14189] [foobar] FAIL LOGIN: Client "72.9.234.170"
. Please contact the author in order to get support for this format

Results
=3D=3D=3D=3D=3D=3D=3D

Failregex:
[1] vsftpd: .* authentication failure; .* rhost=3D<HOST>$
[2] \[.+\] FAIL LOGIN: Client "<HOST>"$

Number of matches:
[1] 0 match(es)
[2] 0 match(es)

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
[root@birch filter.d]#

# Fixes to deal with missing prepended 0 in /var/log/vsftpd.log
Sat Mar  3 13:25:17 2007 [pid 15757] CONNECT: Client "72.9.234.170"
Sat Mar  3 13:25:26 2007 [pid 15756] [mojo] FAIL LOGIN: Client =
"72.9.234.170"

[root@birch server]# diff datedetector.py.orig datedetector.py
54c54
<               template.setRegex("\S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} =
\d{4}")
---
>               template.setRegex("\S{3} \S{3}\s{1,2}\d{1,2} =
\d{2}:\d{2}:\d{2} \d{4}")
[root@birch server]#

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: fai...@li...
[mailto:fai...@li...]On Behalf Of Dave
Dewey
Sent: Sunday, March 04, 2007 4:47 PM
To: fai...@li...
Subject: [Fail2ban-users] vsftpd date parsing error

Hello;

I'm new to fail2ban, but believe I have it configured correctly.  My =
server is
getting hammered by brute force attacks and this looks like a great =
solution.

Ssh, httpd and postfix appear to work fine. I'm having an issue with the
most important service to me, though - vsftpd.  When I run the
fail2ban-regex against my logfile I get the following output (ip's =
replaced
for privacy):

Running tests
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Use regex file : /etc/fail2ban/filter.d/vsftpd.conf
Use log file   : /var/log/vsftpd.log

Found a match but no valid date/time found for Sat Mar  3 16:14:42 2007 =
[pid
15087] [anonymous] FAIL LOGIN: Client "x.x.x.x"
. Please contact the author in order to get support for this format

Found a match but no valid date/time found for Sat Mar  3 16:14:42 2007 =
[pid
15101] [anonymous] FAIL LOGIN: Client "x.x.x.x"
. Please contact the author in order to get support for this format

Found a match but no valid date/time found for Sun Mar  4 08:38:04 2007 =
[pid
6890] [anonymous] FAIL LOGIN: Client "x.x.x.x"
. Please contact the author in order to get support for this format

Found a match but no valid date/time found for Sun Mar  4 08:38:05 2007 =
[pid
6892] [anonymous] FAIL LOGIN: Client "x.x.x.x"
. Please contact the author in order to get support for this format

Here are snips from the logfile itself:

Sat Mar  3 16:14:42 2007 [pid 15088] CONNECT: Client "x.x.x.x"
Sat Mar  3 16:14:42 2007 [pid 15087] [anonymous] FAIL LOGIN: Client =
"x.x.x.x"

Entry from jail.conf:

[vsftpd-iptables]

enabled  =3D true
filter   =3D vsftpd
action   =3D iptables[name=3Dvsftpd, port=3Dftp, protocol=3Dtcp]
           mail-whois[name=3Dvsftpd, dest=3D...@cy...]
	   logpath  =3D /var/log/vsftpd.log
	   maxretry =3D 6

The filter file is unchanged from the distribution:
failregex =3D vsftpd: .* authentication failure; .* rhost=3D<HOST>$
            \[.+\] FAIL LOGIN: Client "<HOST>"$

Anyone have any ideas?  Thanks for the help, and for what looks like a =
great
program!  Also, anyone written anything for dovecot?  My dovecot server =
had
74,000 invalid brute-force attempts yesterday from the same IP, sheesh.  =
If
not I'll hack something up.

dave

-------------------------------------------------------------------------=

Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share =
your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVDEV
_______________________________________________
Fail2ban-users mailing list
Fai...@li...
https://lists.sourceforge.net/lists/listinfo/fail2ban-users