From: Christian R. <spo...@gm...> - 2008-08-24 12:34:18
|
when you change the log format you must change the regex too. a) remove the LogFormat lines. or b) change the regex (see mail(s) from René) 2008/8/24 Marcus Müller <mar...@fr...>: > Hi, > > 1) the OS is SLES10 > 2) Proftpd 1.3.1 > > The only changes are the logformat and the ExtendedLog: > > # Logformat > SystemLog NONE > LogFormat default "%h %u %t \"%r\" %s %b" > LogFormat auth "%v [%P] %h %t \"%r\" %s" > LogFormat write "%h %u %t \"%r\" %s %b" > > # Record all logins > ExtendedLog /var/log/authproftpd.log AUTH > > > > -----Ursprüngliche Nachricht----- > Von: fai...@li... > [mailto:fai...@li...] Im Auftrag von > René Berber > Gesendet: Samstag, 23. August 2008 23:17 > An: fai...@li... > Betreff: Re: [Fail2ban-users] Filter for proftpd > > > Marcus Müller wrote: > >> just one question: >> >> Im using proftpd but fail2ban doesnt ban the IP´s after maxretry=6 >> which was trying to connect to the proftpd-Server with a wrong >> Password PASS (hidden). What can i do ? Why doesnt ban fail2ban the >> IP´s ? >> >> The jail.conf as follow: >> >> [proftpd-iptables] >> >> enabled = true >> filter = proftpd >> action = iptables[name=ProFTPD, port=ftp, protocol=tcp] >> sendmail-whois[name=ProFTPD, >> dest=mar...@fr...] logpath = /var/log/authproftpd.log >> maxretry = 6 >> >> The authproftpd.log >> >> x.x.x.x ftp [23/Aug/2008:11:09:44 +0200] "USER mmuster" 331 - x.x.x.x >> ftp [23/Aug/2008:11:09:44 +0200] "PASS (hidden)" 530 - > > That log looks nothing like ProFtp's log, it looks like an imitation of > Apache's log (in fact a quick Google seems to indicate it is a > Microsoft's ftp server). No wonder the filter expressions don't match > anything. > > For the future: when you report a problem please include which version > are you using, under which operating system, and if you have made > changes. > > [snip] >> failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from >> \S+ \[\S+\] to \S+:\S+$ >> \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): >> Incorrect password\.$ >> \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login >> attempted\.$ >> \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) >> exceeded$ > [snip] > > A quick fix, add the following to the above expressions: > > ^<HOST> ftp .* PASS .* 530 > > That is not a permanent fix, when you upgrade fail2ban that file will be > overwritten and the change lost. > > The real fix is to create your own local rule, with the proper regular > expression. I would experiment with the above expression for some time, > if it works keep it, if you see other log messages that should have > their own expression add them. > > For instance, the 331 code in the log means the user name was known, the > 350 probably means a bad password (I'm not sure, as I said, that log > doesn't look like ProFtp's log... but I haven't used ProFtp in years so > it could have changed), what does an invalid user look like? probably > just another code (332 following Microsoft's documentation), then a > similar regex should be added with that code instead of 530. > -- > René Berber > > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |