Re: [Fail2ban-users] fail2ban does not ban vsftpd logins on FC 6

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Could you try this?

# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf

If this works, could you try to disable "ssh-iptables" and only run
"vsftpd-iptables"?

Cheers,

Cyril

P.S. Please, reply to the list too ;)

Luis Esteves wrote:
> Thank you for the quick reply Cyril. 
> 
> Here is my jail.conf:
> 
> # Fail2Ban configuration file
> # Author: Cyril Jaquier
> # $Revision: 552 $
> 
> [DEFAULT]
> ignoreip = 127.0.0.1
> bantime  = 600
> findtime  = 600
> maxretry = 3
> backend = auto
> 
> [ssh-iptables]
> enabled  = true
> filter   = sshd
> action   = iptables[name=SSH, port=ssh, protocol=tcp]
>            mail-whois[name=SSH, dest=user@local]
> logpath  = /var/log/secure
> maxretry = 3
> 
> [vsftpd-iptables]
> enabled  = true
> filter   = vsftpd
> action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
>            mail-whois[name=VSFTPD, dest=user@local]
> logpath  = /var/log/secure
> maxretry = 1
> bantime = 600
> 
> 
>> -----Original Message-----
>> From: Cyril Jaquier [mailto:cyr...@fa...]
>> Sent: Thursday, July 19, 2007 4:10 PM
>> To: Luis Esteves
>> Cc: fai...@li...
>> Subject: Re: [Fail2ban-users] fail2ban does not ban vsftpd logins on FC 6
>>
>> Hi Luis,
>>
>> Could you post your jail.[conf|local]?
>>
>> Regards,
>>
>> Cyril
>>
>> Luis Esteves wrote:
>>> Hi. I have fail2ban working with SSH but I cannot get vsftpd banning to
>>> work. I get matches (checked with fail2ban-regex) but the IP address is
>>> never banned. What am I doing wrong here? TIA for any help...
>>>
>>> My setup is:
>>>
>>> Fedora Core 6
>>> Fail2Ban v0.8.0
>>> python-2.4.4-1.fc6
>>> iptables-1.3.5-1.2.1
>>> vsftpd-2.0.5-10.fc6
>>>
>>> Both SSH and VSFTPD auth logging goes to: /var/log/secure
>>>
>>> Here is the regex in my vsftpd.conf file:
>>>
>>> failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$
>>>             \[.+\] FAIL LOGIN: Client "<HOST>"$
>>>             \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$
>>>             \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$
>>>
>>>
>>> I tried running fail2ban-regex I get matches with the following:
>>>
>>> Running tests
>>> =============
>>>
>>> Use regex line : vsftpd: .* authentication failure; .* rhost=<HOST>
>>> Use log file   : /var/log/secure
>>>
>>> Results
>>> =======
>>>
>>> Failregex:
>>> [1] vsftpd: .* authentication failure; .* rhost=<HOST>
>>>
>>> Number of matches:
>>> [1] 5 match(es)
>>>
>>> Addresses found:
>>> [1]
>>>     x.x.x.x (Wed Jul 18 02:38:58 2007)
>>>     x.x.x.x (Thu Jul 19 15:09:43 2007)
>>>     x.x.x.x (Thu Jul 19 15:09:51 2007)
>>>     x.x.x.x (Thu Jul 19 15:10:15 2007)
>>>     x.x.x.x (Thu Jul 19 15:10:30 2007)
>>>
>>> Date template hits:
>>> 5 hit: Month Day Hour:Minute:Second
>>> 0 hit: Weekday Month Day Hour:Minute:Second Year
>>> 0 hit: Weekday Month Day Hour:Minute:Second
>>> 0 hit: Year/Month/Day Hour:Minute:Second
>>> 0 hit: Day/Month/Year:Hour:Minute:Second
>>> 0 hit: Year-Month-Day Hour:Minute:Second
>>> 0 hit: TAI64N
>>> 0 hit: Epoch
>>>
>>> Success, the total number of match is 5
>>>
>>> However, look at the above section 'Running tests' which could contain
>>> important
>>> information.
>>>
>>> ==========================
>>>
>>> This is typically what I see in my fail2ban.log file:
>>>
>>> 2007-07-19 15:10:16,020 fail2ban.filter.datedetector: DEBUG  Sorting the
>>> template list
>>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG  /var/log/secure has
> been
>>> modified
>>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG  Opened /var/log/secure
>>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG  /var/log/secure has
> been
>>> modified
>>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG  Opened /var/log/secure
>>> 2007-07-19 15:10:31,023 fail2ban.filter : DEBUG  Setting file position
> to
>>> 4967L for /var/log/secure
>>> 2007-07-19 15:10:31,040 fail2ban.filter : DEBUG  Setting file position
> to
>>> 4967L for /var/log/secure
>>> 2007-07-19 15:10:31,049 fail2ban.filter.datedetector: DEBUG  Sorting the
>>> template list
>>> 2007-07-19 15:10:31,108 fail2ban.filter.datedetector: DEBUG  Sorting the
>>> template list
>>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG  /var/log/secure has
> been
>>> modified
>>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG  Opened /var/log/secure
>>> 2007-07-19 15:10:32,051 fail2ban.filter : DEBUG  Setting file position
> to
>>> 5189L for /var/log/secure
>>> 2007-07-19 15:10:32,051 fail2ban.filter.datedetector: DEBUG  Sorting the
>>> template list
>>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG  /var/log/secure has
> been
>>> modified
>>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG  Opened /var/log/secure
>>> 2007-07-19 15:10:32,109 fail2ban.filter : DEBUG  Setting file position
> to
>>> 5296L for /var/log/secure
>>> 2007-07-19 15:10:32,109 fail2ban.filter.datedetector: DEBUG  Sorting the
>>> template list
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> Fai...@li...
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> 
> 