Woo Hoo!

Glad I could help.




-----Original Message-----
From: Yan Hudon <yan@jaguar-tech.com>
To: fail2ban-users <fail2ban-users@lists.sourceforge.net>
Sent: Fri, Dec 6, 2013 10:21 am
Subject: [Fail2ban-users] Fail2ban partially working

Hi,

I've set up fail2ban on a centos server and everything is working fine for my ssh jail (i am receiving alerts and shorewall is banning ips) but somehow, my 2 others, vsftpd and smtp, are processed (I can that they are by monitoring the log upon startup) but never seems to notice any failed logging attempt thus, never taking actions.

I have used fail2ban-regex to be sure that my regex were good and they are.

For example, let's take my vsftpd jail :

jail status (it never changes)

[root@gw fail2ban]# fail2ban-client status vsftpd6
Status for the jail: vsftpd6
|- filter
|  |- File list:    /mnt/syslog/10.1.0.6/vsftpd.log
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:   
   `- Total banned:    0


jail.local content

[vsftpd6]

enabled = true
filter = vsftpd
action = shorewall
               sendmail-whois[name=VSFTPD, dest=it@jaguar-tech.com]
logpath = /mnt/syslog/10.1.0.6/vsftpd.log
maxretry = 2
bantime = -1

vsftpd filter regex

failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

Sample of the vsftpd logfile

[root@gw fail2ban]# tail /mnt/syslog/10.1.0.6/vsftpd.log
Dec  6 10:10:44 ara vsftpd[3673]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:13:26 ara vsftpd[3763]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:03 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:22:51 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:24 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:25:29 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:05 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:35:47 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:38:02 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57"
Dec  6 10:47:16 ara vsftpd[4622]: [yan] FAIL LOGIN: Client "24.100.220.57"

fail2ban-regex results

fail2ban-regex /mnt/syslog/10.1.0.6/vsftpd.log '\[.+\] FAIL LOGIN: Client "<HOST>"\s*$'

Date template hits:
723 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 308

I've been searching for hours but cannot find anything.

Any help will be appreciated.


------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users