From: Luis E. <tu...@as...> - 2007-07-19 20:02:54
|
Hi. I have fail2ban working with SSH but I cannot get vsftpd banning to work. I get matches (checked with fail2ban-regex) but the IP address is never banned. What am I doing wrong here? TIA for any help... My setup is: Fedora Core 6 Fail2Ban v0.8.0 python-2.4.4-1.fc6 iptables-1.3.5-1.2.1 vsftpd-2.0.5-10.fc6 Both SSH and VSFTPD auth logging goes to: /var/log/secure Here is the regex in my vsftpd.conf file: failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$ \[.+\] FAIL LOGIN: Client "<HOST>"$ \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ I tried running fail2ban-regex I get matches with the following: Running tests ============= Use regex line : vsftpd: .* authentication failure; .* rhost=<HOST> Use log file : /var/log/secure Results ======= Failregex: [1] vsftpd: .* authentication failure; .* rhost=<HOST> Number of matches: [1] 5 match(es) Addresses found: [1] x.x.x.x (Wed Jul 18 02:38:58 2007) x.x.x.x (Thu Jul 19 15:09:43 2007) x.x.x.x (Thu Jul 19 15:09:51 2007) x.x.x.x (Thu Jul 19 15:10:15 2007) x.x.x.x (Thu Jul 19 15:10:30 2007) Date template hits: 5 hit: Month Day Hour:Minute:Second 0 hit: Weekday Month Day Hour:Minute:Second Year 0 hit: Weekday Month Day Hour:Minute:Second 0 hit: Year/Month/Day Hour:Minute:Second 0 hit: Day/Month/Year:Hour:Minute:Second 0 hit: Year-Month-Day Hour:Minute:Second 0 hit: TAI64N 0 hit: Epoch Success, the total number of match is 5 However, look at the above section 'Running tests' which could contain important information. ========================== This is typically what I see in my fail2ban.log file: 2007-07-19 15:10:16,020 fail2ban.filter.datedetector: DEBUG Sorting the template list 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG /var/log/secure has been modified 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG Opened /var/log/secure 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG /var/log/secure has been modified 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG Opened /var/log/secure 2007-07-19 15:10:31,023 fail2ban.filter : DEBUG Setting file position to 4967L for /var/log/secure 2007-07-19 15:10:31,040 fail2ban.filter : DEBUG Setting file position to 4967L for /var/log/secure 2007-07-19 15:10:31,049 fail2ban.filter.datedetector: DEBUG Sorting the template list 2007-07-19 15:10:31,108 fail2ban.filter.datedetector: DEBUG Sorting the template list 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG /var/log/secure has been modified 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG Opened /var/log/secure 2007-07-19 15:10:32,051 fail2ban.filter : DEBUG Setting file position to 5189L for /var/log/secure 2007-07-19 15:10:32,051 fail2ban.filter.datedetector: DEBUG Sorting the template list 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG /var/log/secure has been modified 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG Opened /var/log/secure 2007-07-19 15:10:32,109 fail2ban.filter : DEBUG Setting file position to 5296L for /var/log/secure 2007-07-19 15:10:32,109 fail2ban.filter.datedetector: DEBUG Sorting the template list |
From: Cyril J. <cyr...@fa...> - 2007-07-19 20:10:25
|
Hi Luis, Could you post your jail.[conf|local]? Regards, Cyril Luis Esteves wrote: > Hi. I have fail2ban working with SSH but I cannot get vsftpd banning to > work. I get matches (checked with fail2ban-regex) but the IP address is > never banned. What am I doing wrong here? TIA for any help... > > My setup is: > > Fedora Core 6 > Fail2Ban v0.8.0 > python-2.4.4-1.fc6 > iptables-1.3.5-1.2.1 > vsftpd-2.0.5-10.fc6 > > Both SSH and VSFTPD auth logging goes to: /var/log/secure > > Here is the regex in my vsftpd.conf file: > > failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$ > \[.+\] FAIL LOGIN: Client "<HOST>"$ > \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > > > I tried running fail2ban-regex I get matches with the following: > > Running tests > ============= > > Use regex line : vsftpd: .* authentication failure; .* rhost=<HOST> > Use log file : /var/log/secure > > Results > ======= > > Failregex: > [1] vsftpd: .* authentication failure; .* rhost=<HOST> > > Number of matches: > [1] 5 match(es) > > Addresses found: > [1] > x.x.x.x (Wed Jul 18 02:38:58 2007) > x.x.x.x (Thu Jul 19 15:09:43 2007) > x.x.x.x (Thu Jul 19 15:09:51 2007) > x.x.x.x (Thu Jul 19 15:10:15 2007) > x.x.x.x (Thu Jul 19 15:10:30 2007) > > Date template hits: > 5 hit: Month Day Hour:Minute:Second > 0 hit: Weekday Month Day Hour:Minute:Second Year > 0 hit: Weekday Month Day Hour:Minute:Second > 0 hit: Year/Month/Day Hour:Minute:Second > 0 hit: Day/Month/Year:Hour:Minute:Second > 0 hit: Year-Month-Day Hour:Minute:Second > 0 hit: TAI64N > 0 hit: Epoch > > Success, the total number of match is 5 > > However, look at the above section 'Running tests' which could contain > important > information. > > ========================== > > This is typically what I see in my fail2ban.log file: > > 2007-07-19 15:10:16,020 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:31,023 fail2ban.filter : DEBUG Setting file position to > 4967L for /var/log/secure > 2007-07-19 15:10:31,040 fail2ban.filter : DEBUG Setting file position to > 4967L for /var/log/secure > 2007-07-19 15:10:31,049 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:31,108 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:32,051 fail2ban.filter : DEBUG Setting file position to > 5189L for /var/log/secure > 2007-07-19 15:10:32,051 fail2ban.filter.datedetector: DEBUG Sorting the > template list > 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG /var/log/secure has been > modified > 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG Opened /var/log/secure > 2007-07-19 15:10:32,109 fail2ban.filter : DEBUG Setting file position to > 5296L for /var/log/secure > 2007-07-19 15:10:32,109 fail2ban.filter.datedetector: DEBUG Sorting the > template list > > > > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Cyril J. <cyr...@fa...> - 2007-07-19 21:11:12
|
Could you try this? # fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf If this works, could you try to disable "ssh-iptables" and only run "vsftpd-iptables"? Cheers, Cyril P.S. Please, reply to the list too ;) Luis Esteves wrote: > Thank you for the quick reply Cyril. > > Here is my jail.conf: > > # Fail2Ban configuration file > # Author: Cyril Jaquier > # $Revision: 552 $ > > [DEFAULT] > ignoreip = 127.0.0.1 > bantime = 600 > findtime = 600 > maxretry = 3 > backend = auto > > [ssh-iptables] > enabled = true > filter = sshd > action = iptables[name=SSH, port=ssh, protocol=tcp] > mail-whois[name=SSH, dest=user@local] > logpath = /var/log/secure > maxretry = 3 > > [vsftpd-iptables] > enabled = true > filter = vsftpd > action = iptables[name=VSFTPD, port=ftp, protocol=tcp] > mail-whois[name=VSFTPD, dest=user@local] > logpath = /var/log/secure > maxretry = 1 > bantime = 600 > > >> -----Original Message----- >> From: Cyril Jaquier [mailto:cyr...@fa...] >> Sent: Thursday, July 19, 2007 4:10 PM >> To: Luis Esteves >> Cc: fai...@li... >> Subject: Re: [Fail2ban-users] fail2ban does not ban vsftpd logins on FC 6 >> >> Hi Luis, >> >> Could you post your jail.[conf|local]? >> >> Regards, >> >> Cyril >> >> Luis Esteves wrote: >>> Hi. I have fail2ban working with SSH but I cannot get vsftpd banning to >>> work. I get matches (checked with fail2ban-regex) but the IP address is >>> never banned. What am I doing wrong here? TIA for any help... >>> >>> My setup is: >>> >>> Fedora Core 6 >>> Fail2Ban v0.8.0 >>> python-2.4.4-1.fc6 >>> iptables-1.3.5-1.2.1 >>> vsftpd-2.0.5-10.fc6 >>> >>> Both SSH and VSFTPD auth logging goes to: /var/log/secure >>> >>> Here is the regex in my vsftpd.conf file: >>> >>> failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$ >>> \[.+\] FAIL LOGIN: Client "<HOST>"$ >>> \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ >>> \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ >>> >>> >>> I tried running fail2ban-regex I get matches with the following: >>> >>> Running tests >>> ============= >>> >>> Use regex line : vsftpd: .* authentication failure; .* rhost=<HOST> >>> Use log file : /var/log/secure >>> >>> Results >>> ======= >>> >>> Failregex: >>> [1] vsftpd: .* authentication failure; .* rhost=<HOST> >>> >>> Number of matches: >>> [1] 5 match(es) >>> >>> Addresses found: >>> [1] >>> x.x.x.x (Wed Jul 18 02:38:58 2007) >>> x.x.x.x (Thu Jul 19 15:09:43 2007) >>> x.x.x.x (Thu Jul 19 15:09:51 2007) >>> x.x.x.x (Thu Jul 19 15:10:15 2007) >>> x.x.x.x (Thu Jul 19 15:10:30 2007) >>> >>> Date template hits: >>> 5 hit: Month Day Hour:Minute:Second >>> 0 hit: Weekday Month Day Hour:Minute:Second Year >>> 0 hit: Weekday Month Day Hour:Minute:Second >>> 0 hit: Year/Month/Day Hour:Minute:Second >>> 0 hit: Day/Month/Year:Hour:Minute:Second >>> 0 hit: Year-Month-Day Hour:Minute:Second >>> 0 hit: TAI64N >>> 0 hit: Epoch >>> >>> Success, the total number of match is 5 >>> >>> However, look at the above section 'Running tests' which could contain >>> important >>> information. >>> >>> ========================== >>> >>> This is typically what I see in my fail2ban.log file: >>> >>> 2007-07-19 15:10:16,020 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:31,023 fail2ban.filter : DEBUG Setting file position > to >>> 4967L for /var/log/secure >>> 2007-07-19 15:10:31,040 fail2ban.filter : DEBUG Setting file position > to >>> 4967L for /var/log/secure >>> 2007-07-19 15:10:31,049 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:31,108 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:32,051 fail2ban.filter : DEBUG Setting file position > to >>> 5189L for /var/log/secure >>> 2007-07-19 15:10:32,051 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG /var/log/secure has > been >>> modified >>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG Opened /var/log/secure >>> 2007-07-19 15:10:32,109 fail2ban.filter : DEBUG Setting file position > to >>> 5296L for /var/log/secure >>> 2007-07-19 15:10:32,109 fail2ban.filter.datedetector: DEBUG Sorting the >>> template list >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> > ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Microsoft >>> Defy all challenges. Microsoft(R) Visual Studio 2005. >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > |
From: Luis E. <tu...@as...> - 2007-07-19 22:04:38
|
> Could you try this? > # fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf Strange, that didn't work... Running tests ============= Use regex file : /etc/fail2ban/filter.d/vsftpd.conf Use log file : /var/log/secure Results ======= Failregex: [1] vsftpd: .* authentication failure; .* rhost=<HOST>$ [2] \[.+\] FAIL LOGIN: Client "<HOST>"$ [3] \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ [4] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ Number of matches: [1] 0 match(es) [2] 0 match(es) [3] 0 match(es) [4] 0 match(es) Sorry, no match > If this works, could you try to disable "ssh-iptables" and only run > "vsftpd-iptables"? I have disabled ssh-iptables and tested with no change. > P.S. Please, reply to the list too ;) Oops! :) Thanks again, Luis > Luis Esteves wrote: > > Thank you for the quick reply Cyril. > > > > Here is my jail.conf: > > > > # Fail2Ban configuration file > > # Author: Cyril Jaquier > > # $Revision: 552 $ > > > > [DEFAULT] > > ignoreip = 127.0.0.1 > > bantime = 600 > > findtime = 600 > > maxretry = 3 > > backend = auto > > > > [ssh-iptables] > > enabled = true > > filter = sshd > > action = iptables[name=SSH, port=ssh, protocol=tcp] > > mail-whois[name=SSH, dest=user@local] > > logpath = /var/log/secure > > maxretry = 3 > > > > [vsftpd-iptables] > > enabled = true > > filter = vsftpd > > action = iptables[name=VSFTPD, port=ftp, protocol=tcp] > > mail-whois[name=VSFTPD, dest=user@local] > > logpath = /var/log/secure > > maxretry = 1 > > bantime = 600 > > > > > >> -----Original Message----- > >> From: Cyril Jaquier [mailto:cyr...@fa...] > >> Sent: Thursday, July 19, 2007 4:10 PM > >> To: Luis Esteves > >> Cc: fai...@li... > >> Subject: Re: [Fail2ban-users] fail2ban does not ban vsftpd logins on FC > 6 > >> > >> Hi Luis, > >> > >> Could you post your jail.[conf|local]? > >> > >> Regards, > >> > >> Cyril > >> > >> Luis Esteves wrote: > >>> Hi. I have fail2ban working with SSH but I cannot get vsftpd banning to > >>> work. I get matches (checked with fail2ban-regex) but the IP address is > >>> never banned. What am I doing wrong here? TIA for any help... > >>> > >>> My setup is: > >>> > >>> Fedora Core 6 > >>> Fail2Ban v0.8.0 > >>> python-2.4.4-1.fc6 > >>> iptables-1.3.5-1.2.1 > >>> vsftpd-2.0.5-10.fc6 > >>> > >>> Both SSH and VSFTPD auth logging goes to: /var/log/secure > >>> > >>> Here is the regex in my vsftpd.conf file: > >>> > >>> failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$ > >>> \[.+\] FAIL LOGIN: Client "<HOST>"$ > >>> \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > >>> \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > >>> > >>> > >>> I tried running fail2ban-regex I get matches with the following: > >>> > >>> Running tests > >>> ============= > >>> > >>> Use regex line : vsftpd: .* authentication failure; .* rhost=<HOST> > >>> Use log file : /var/log/secure > >>> > >>> Results > >>> ======= > >>> > >>> Failregex: > >>> [1] vsftpd: .* authentication failure; .* rhost=<HOST> > >>> > >>> Number of matches: > >>> [1] 5 match(es) > >>> > >>> Addresses found: > >>> [1] > >>> x.x.x.x (Wed Jul 18 02:38:58 2007) > >>> x.x.x.x (Thu Jul 19 15:09:43 2007) > >>> x.x.x.x (Thu Jul 19 15:09:51 2007) > >>> x.x.x.x (Thu Jul 19 15:10:15 2007) > >>> x.x.x.x (Thu Jul 19 15:10:30 2007) > >>> > >>> Date template hits: > >>> 5 hit: Month Day Hour:Minute:Second > >>> 0 hit: Weekday Month Day Hour:Minute:Second Year > >>> 0 hit: Weekday Month Day Hour:Minute:Second > >>> 0 hit: Year/Month/Day Hour:Minute:Second > >>> 0 hit: Day/Month/Year:Hour:Minute:Second > >>> 0 hit: Year-Month-Day Hour:Minute:Second > >>> 0 hit: TAI64N > >>> 0 hit: Epoch > >>> > >>> Success, the total number of match is 5 > >>> > >>> However, look at the above section 'Running tests' which could contain > >>> important > >>> information. > >>> > >>> ========================== > >>> > >>> This is typically what I see in my fail2ban.log file: > >>> > >>> 2007-07-19 15:10:16,020 fail2ban.filter.datedetector: DEBUG Sorting > the > >>> template list > >>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG /var/log/secure has > > been > >>> modified > >>> 2007-07-19 15:10:31,021 fail2ban.filter : DEBUG Opened /var/log/secure > >>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG /var/log/secure has > > been > >>> modified > >>> 2007-07-19 15:10:31,022 fail2ban.filter : DEBUG Opened /var/log/secure > >>> 2007-07-19 15:10:31,023 fail2ban.filter : DEBUG Setting file position > > to > >>> 4967L for /var/log/secure > >>> 2007-07-19 15:10:31,040 fail2ban.filter : DEBUG Setting file position > > to > >>> 4967L for /var/log/secure > >>> 2007-07-19 15:10:31,049 fail2ban.filter.datedetector: DEBUG Sorting > the > >>> template list > >>> 2007-07-19 15:10:31,108 fail2ban.filter.datedetector: DEBUG Sorting > the > >>> template list > >>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG /var/log/secure has > > been > >>> modified > >>> 2007-07-19 15:10:32,050 fail2ban.filter : DEBUG Opened /var/log/secure > >>> 2007-07-19 15:10:32,051 fail2ban.filter : DEBUG Setting file position > > to > >>> 5189L for /var/log/secure > >>> 2007-07-19 15:10:32,051 fail2ban.filter.datedetector: DEBUG Sorting > the > >>> template list > >>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG /var/log/secure has > > been > >>> modified > >>> 2007-07-19 15:10:32,108 fail2ban.filter : DEBUG Opened /var/log/secure > >>> 2007-07-19 15:10:32,109 fail2ban.filter : DEBUG Setting file position > > to > >>> 5296L for /var/log/secure > >>> 2007-07-19 15:10:32,109 fail2ban.filter.datedetector: DEBUG Sorting > the > >>> template list > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > > ------------------------------------------------------------------------- > >>> This SF.net email is sponsored by: Microsoft > >>> Defy all challenges. Microsoft(R) Visual Studio 2005. > >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > >>> _______________________________________________ > >>> Fail2ban-users mailing list > >>> Fai...@li... > >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > |
From: Cyril J. <cyr...@fa...> - 2007-07-20 07:54:51
|
> Strange, that didn't work... > > Running tests > ============= > > Use regex file : /etc/fail2ban/filter.d/vsftpd.conf > Use log file : /var/log/secure > > > Results > ======= > > Failregex: > [1] vsftpd: .* authentication failure; .* rhost=<HOST>$ > [2] \[.+\] FAIL LOGIN: Client "<HOST>"$ > [3] \[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > [4] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ > > Number of matches: > [1] 0 match(es) > [2] 0 match(es) > [3] 0 match(es) > [4] 0 match(es) > > Sorry, no match > If you compare these regular expressions with those in your first post, you will notice that there is a difference. The '$' at the end. This matches the end of a string. You will find more information here: http://docs.python.org/lib/re-syntax.html In order to avoid "log injection", it is important to only match what is needed. In your case, it seems that you have more output after "rhost=xxx.xxx.xxx.xxx". Could you post some of the corresponding vsftpd logs? You can try to remove the '$' in your vsftpd.conf (or better write your own vsftpd.local) in order to test it. But I wouldn't recommend this as it can allow log injection. Daniel B. Cid wrote an article about this: http://www.ossec.net/en/attacking-loganalysis.html Regards, Cyril |
From: Luis E. <tu...@as...> - 2007-07-20 12:37:14
|
> If you compare these regular expressions with those in your first post, Thanks again for the feedback Cyril. Lots of info in those links! :) For an experiment I removed the $ sign from the end of the regex and this time fail2ban-regex worked. > In your case, it seems that you have more output after > "rhost=xxx.xxx.xxx.xxx". Could you post some of the corresponding vsftpd > logs? Here is a typical vsftpd failed login in /var/log/secure: Jul 19 18:11:18 srv2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Jul 19 18:11:18 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=c-xx-xxx-xx-xxx.hsd1.fl.comcast.net Jul 19 18:11:18 srv2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user an8767 Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=c-xx-xxx-xx-xxx.hsd1.fl.comcast.net Jul 19 18:11:26 srv2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user an8767 I replaced the IP address part with xx. I'm not sure could be coming after the "rhost" section though... Thanks again, Luis |
From: Yaroslav H. <li...@on...> - 2007-07-21 02:34:15
Attachments:
pam-generic.conf
pam-generic.examples
|
> Jul 19 18:11:18 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; the problem is actually is in having "pam_unix(vsftpd:auth): ". What distribution are you running (sorry if I didn't catch it in original email). I thought that I've built quit a generic filter for catching all pam reported authentication failures - but apparently I didn't. I've modified it to catch yours as well. See attached along with example log lines which should trigger this filter > I replaced the IP address part with xx. I'm not sure could be coming after > the "rhost" section though... btw -- it might confuse fail2ban-regex since now it will report that it can't find an IP for the host and IP will not be included in the list of "found" > Thanks again, > Luis > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Astroturtle <tu...@as...> - 2007-07-23 17:55:40
|
Hi Yaroslav, > the problem is actually is in having "pam_unix(vsftpd:auth): ". What distribution > are you running (sorry if I didn't catch it in original email). I I'm running FC6, Fail2ban 0.8.0, Python 2.4.4 and iptables 1.3.5 > thought that I've built quit a generic filter for catching all pam > reported authentication failures - but apparently I didn't. I've > modified it to catch yours as well. See attached along with example log > lines which should trigger this filter Thanks for that... I could get the catch all working, and I got it to match SSH but for some reason: _ttys_re=(?:vsftpd) doesn't match to anything and: _ttys_re=(?:ssh|vsftpd) Only matches SSH. I'm really confused... Here is a failed FTP login from my /var/log/secure: Jul 23 13:42:59 bcsrv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=b43fhtn rhost=c-xx-xxx-xx-xxx.hsd1.fl.comcast.net Jul 23 13:42:59 bcsrv2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user b43fht Thanks again for the help, Luis |
From: Yaroslav H. <li...@on...> - 2007-07-23 20:36:17
|
> Thanks for that... I could get the catch all working, and I got it to > match SSH but for some reason: > _ttys_re=(?:vsftpd) > doesn't match to anything and: > _ttys_re=(?:ssh|vsftpd) > Only matches SSH. > I'm really confused... Here is a failed FTP login from my /var/log/secure: > Jul 23 13:42:59 bcsrv2 vsftpd: pam_unix(vsftpd:auth): authentication > failure; logname= uid=0 euid=0 tty=ftp ruser=b43fhtn > rhost=c-xx-xxx-xx-xxx.hsd1.fl.comcast.net oops -- tty has to be ftp simply, ie _ttys_re=(?:ssh|ftp) > Jul 23 13:42:59 bcsrv2 vsftpd: pam_succeed_if(vsftpd:auth): error > retrieving information about user b43fht > Thanks again for the help, > Luis > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Luis E. <tu...@as...> - 2007-07-23 21:27:33
|
> oops -- tty has to be ftp simply, ie > _ttys_re=(?:ssh|ftp) Ah, perfect! It works now. Thanks for the help Yaroslav! Here is what my vsftpd.conf looks like now: # Fail2Ban configuration file # Author: Cyril Jaquier # $Revision: 534 $ # Fail2Ban configuration file for generic PAM authentication errors # Author: Yaroslav Halchenko # $Revision: $ [Definition] # If you want to catch only login errors from specific daemons, use something like: #_ttys_re=(?:ssh|pro-ftpd) # # To catch all failed logins: #_ttys_re=\S* # _ttys_re=(?:ftp) # Shortcuts for easier comprehension of the failregex __pid_re=(?:\[\d+\]) __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? __pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:) # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = |