From: Cyril J. <cyr...@fa...> - 2007-07-19 20:10:25
|
Hi Luis, Could you post your jail.[conf|local]? Regards, Cyril Luis Esteves wrote: > Hi. I have fail2ban working with SSH but I cannot get vsftpd banning to > work. I get matches (checked with fail2ban-regex) but the IP address is > never banned. What am I doing wrong here? TIA for any help... > > My setup is: > > Fedora Core 6 > Fail2Ban v0.8.0 > python-2.4.4-1.fc6 > iptables-1.3.5-1.2.1 > vsftpd-2.0.5-10.fc6 > > Both SSH and VSFTPD auth logging goes to: /var/log/secure > > Here is the regex in my vsftpd.conf file: > > failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$ > \[.+\] FAIL LOGIN: Client "<HOST>"$ > \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > > > I tried running fail2ban-regex I get matches with the following: > > Running tests > ============= > > Use regex line : vsftpd: .* authentication failure; .* rhost=<HOST> > Use log file : /var/log/secure > > Results > ======= > > Failregex: > [1] vsftpd: .* authentication failure; .* rhost=<HOST> > > Number of matches: > [1] 5 match(es) > > Addresses found: > [1] > x.x.x.x (Wed Jul 18 02:38:58 2007) > x.x.x.x (Thu Jul 19 15:09:43 2007) > x.x.x.x (Thu Jul 19 15:09:51 2007) > x.x.x.x (Thu Jul 19 15:10:15 2007) > x.x.x.x (Thu Jul 19 15:10:30 2007) > > Date template hits: > 5 hit: Month Day Hour:Minute:Second > 0 hit: Weekday Month Day Hour:Minute:Second Year > 0 hit: Weekday Month Day Hour:Minute:Second > 0 hit: Year/Month/Day Hour:Minute:Second > 0 hit: Day/Month/Year:Hour:Minute:Second > 0 hit: Year-Month-Day Hour:Minute:Second > 0 hit: TAI64N > 0 hit: Epoch > > Success, the total number of match is 5 > > However, look at the above section 'Running tests' which could contain > important > information. > > ========================== > > This is typically what I see in my fail2ban.log file: > > 2007-07-19 15:10:16,020 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:31,023 fail2ban.filter : DEBUG Setting file position to > 4967L for /var/log/secure > 2007-07-19 15:10:31,040 fail2ban.filter : DEBUG Setting file position to > 4967L for /var/log/secure > 2007-07-19 15:10:31,049 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:31,108 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:32,051 fail2ban.filter : DEBUG Setting file position to > 5189L for /var/log/secure > 2007-07-19 15:10:32,051 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:32,109 fail2ban.filter : DEBUG Setting file position to > 5296L for /var/log/secure > 2007-07-19 15:10:32,109 fail2ban.filter.datedetector: DEBUG Sorting the > template list > > > > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |