From: Cyril J. <cyr...@fa...> - 2007-07-19 21:11:12
|
Could you try this? # fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf If this works, could you try to disable "ssh-iptables" and only run "vsftpd-iptables"? Cheers, Cyril P.S. Please, reply to the list too ;) Luis Esteves wrote: > Thank you for the quick reply Cyril. > > Here is my jail.conf: > > # Fail2Ban configuration file > # Author: Cyril Jaquier > # $Revision: 552 $ > > [DEFAULT] > ignoreip = 127.0.0.1 > bantime = 600 > findtime = 600 > maxretry = 3 > backend = auto > > [ssh-iptables] > enabled = true > filter = sshd > action = iptables[name=SSH, port=ssh, protocol=tcp] > mail-whois[name=SSH, dest=user@local] > logpath = /var/log/secure > maxretry = 3 > > [vsftpd-iptables] > enabled = true > filter = vsftpd > action = iptables[name=VSFTPD, port=ftp, protocol=tcp] > mail-whois[name=VSFTPD, dest=user@local] > logpath = /var/log/secure > maxretry = 1 > bantime = 600 > > >> -----Original Message----- >> From: Cyril Jaquier [mailto:cyr...@fa...] >> Sent: Thursday, July 19, 2007 4:10 PM >> To: Luis Esteves >> Cc: fai...@li... >> Subject: Re: [Fail2ban-users] fail2ban does not ban vsftpd logins on FC 6 >> >> Hi Luis, >> >> Could you post your jail.[conf|local]? >> >> Regards, >> >> Cyril >> >> Luis Esteves wrote: >>> Hi. I have fail2ban working with SSH but I cannot get vsftpd banning to >>> work. I get matches (checked with fail2ban-regex) but the IP address is >>> never banned. What am I doing wrong here? TIA for any help... >>> >>> My setup is: >>> >>> Fedora Core 6 >>> Fail2Ban v0.8.0 >>> python-2.4.4-1.fc6 >>> iptables-1.3.5-1.2.1 >>> vsftpd-2.0.5-10.fc6 >>> >>> Both SSH and VSFTPD auth logging goes to: /var/log/secure >>> >>> Here is the regex in my vsftpd.conf file: >>> >>> failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$ >>> \[.+\] FAIL LOGIN: Client "<HOST>"$ >>> \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ >>> \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ >>> >>> >>> I tried running fail2ban-regex I get matches with the following: >>> >>> Running tests >>> ============= >>> >>> Use regex line : vsftpd: .* authentication failure; .* rhost=<HOST> >>> Use log file : /var/log/secure >>> >>> Results >>> ======= >>> >>> Failregex: >>> [1] vsftpd: .* authentication failure; .* rhost=<HOST> >>> >>> Number of matches: >>> [1] 5 match(es) >>> >>> Addresses found: >>> [1] >>> x.x.x.x (Wed Jul 18 02:38:58 2007) >>> x.x.x.x (Thu Jul 19 15:09:43 2007) >>> x.x.x.x (Thu Jul 19 15:09:51 2007) >>> x.x.x.x (Thu Jul 19 15:10:15 2007) >>> x.x.x.x (Thu Jul 19 15:10:30 2007) >>> >>> Date template hits: >>> 5 hit: Month Day Hour:Minute:Second >>> 0 hit: Weekday Month Day Hour:Minute:Second Year >>> 0 hit: Weekday Month Day Hour:Minute:Second >>> 0 hit: Year/Month/Day Hour:Minute:Second >>> 0 hit: Day/Month/Year:Hour:Minute:Second >>> 0 hit: Year-Month-Day Hour:Minute:Second >>> 0 hit: TAI64N >>> 0 hit: Epoch >>> >>> Success, the total number of match is 5 >>> >>> However, look at the above section 'Running tests' which could contain >>> important >>> information. >>> >>> ========================== >>> >>> This is typically what I see in my fail2ban.log file: >>> >>> 2007-07-19 15:10:16,020 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:31,023 fail2ban.filter : DEBUG Setting file position > to >>> 4967L for /var/log/secure >>> 2007-07-19 15:10:31,040 fail2ban.filter : DEBUG Setting file position > to >>> 4967L for /var/log/secure >>> 2007-07-19 15:10:31,049 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:31,108 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:32,051 fail2ban.filter : DEBUG Setting file position > to >>> 5189L for /var/log/secure >>> 2007-07-19 15:10:32,051 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:32,109 fail2ban.filter : DEBUG Setting file position > to >>> 5296L for /var/log/secure >>> 2007-07-19 15:10:32,109 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> > ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Microsoft >>> Defy all challenges. Microsoft(R) Visual Studio 2005. >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > |