Menu
▾
▴
#31 Here's how to configure for vsftpd support
Here's what I think is missing in the documentation in order to add vsftpd tracking to denyhosts. Step 1: add a USERDEF_FAILED_ENTRY_REGEX entry as described in the faq. This one works for vsftpd-2.0.7-2.fc10.x86_64:
USERDEF_FAILED_ENTRY_REGEX=.*\(vsftpd:auth\).* authentication failure.* ruser=(?P<user>\S+)\s+rhost=(?P<host>\S+)
Step 2: override the SSHD_FORMAT_REGEX to include the vsftpd service. This is a top-level filter that, without it, the vsftp entries will be filtered out before the USERDEF_FAILED_ENTRY_REGEX is ever applied to the log entry. This is what I am using:
SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd:) (?P<message>.*)
I think this solution is not complete because:
- I think this might disable bots (like google) if you don't have anonymous logins since the anonymous login will be marked as an authentication failure.
- the regex may need to be more generalized for different versions of vsftpd.
