Menu
▾
▴
Re: [Fail2ban-users] fail2ban.filter : WARNING Unable to find a corresponding IP address for [hostname]
|
From: Ben J. <be...@in...> - 2012-01-07 21:46:45
|
I have managed to resolve my particular issue with pureFTPd(-mysql). My goal was to render fail2ban effective for FTP, sFTP (over SSH), and FTPs (over SSL or TLS). It bears mention that ISPConfig is installed on the server in question, although, I'm not sure that this detail is relevant. I include it only because I don't know why pure-ftpd(-mysql) logs its authentication failures to /var/log/syslog on this machine (instead of /var/log/messages as described in the pure-ftpd documentation); it is possible that ISPConfig introduces this behavior. Also, ISPConfig generates the files /etc/pure-ftpd/auth/30mysql and /etc/pure-ftpd/db/mysql.conf. More information is available in my post on the ISPConfig forums: http://www.howtoforge.com/forums/showpost.php?p=270863&postcount=20 The problem was, in fact, several-fold: 1.) The pure-ftp-mysql jail must instruct fail2ban to monitor /var/log/syslog (and NOT /var/log/auth.log, which was missing valid IP addresses per my initial post in this thread). The only reason I was using /var/log/auth.log in the first place is that I wanted fail2ban to act on all ports on which pure-ftp-mysql listens (FTP, sFTP, FTPs), and watching one log (instead of one for SSH and one for FTP) seemed simplest. 2.) The regular expression included with the "pure-ftpd" jail does not match the log entries that pure-ftpd-mysql writes to /var/log/syslog; a new filter and regular expression must be added. 3.) pureFTPd must be in instructed not to resolve IP addresses by creating the file /etc/pure-ftpd/conf/DontResolve and populating the file with the string "yes". I'm still not sure why pam_unix is logging failed authentication messages to /var/log/auth.log when pure-ftpd-mysql detects an authentication failure. Granted, the files /etc/pure-ftpd/auth/70pam and /etc/pure-ftpd/conf/PAMAuthentication exist (and contain the string "yes"). Could it be that the MySQL authentication module for pureFTPd does indeed use PAM? I have attached a pure-ftpd-mysql filter (renamed to .txt) that seems to work for me. An example jail might look something like the following: ------- EXAMPLE JAIL ------- [pure-ftpd-mysql] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd-mysql logpath = /var/log/syslog ----------------------------------- Please let me know if I can be of additional assistance. Thank you, -Ben On 1/4/2012 5:19 PM, Tom Hendrikx wrote: > Note that the jail regex uses the pam_unix log output, and not the ftpd > logging. I cannot find any relevant documentation about the pam log > format or configuration. > > Maybe it is easier to find/enable pure-ftpd logging, and create a new > regex for that? Please post to the list, since we can all benefit from > your work :) > > On 04-01-12 21:42, Ben Johnson wrote: >> Thanks for the reply, Tom. >> >> I will continue to work on forcing pureFTPd to log IP addresses only. >> >> That said, my original message in this thread contained excerpts of the >> following nature: >> >> 2012-01-03 09:29:07,507 fail2ban.filter : DEBUG Ignore line since time >> 1322326093.0 < 1325611747.51 - 600 >> 2012-01-03 09:29:07,527 fail2ban.datetemplate: DEBUG Correcting deduced >> year from 2012 to 2011 since 1353948565.000000 > 1325611747.527398 >> 2012-01-03 09:29:07,529 fail2ban.filter : DEBUG Processing line with >> time:1322326165.0 and ip:86.136.190.81 >> >> >> With fail2ban's loglevel = 4, fail2ban appears to log the IP address, >> which seems to indicate that fail2ban is able to discern the value. >> >> Or am I off-base here? >> >> Thanks again, >> >> -Ben >> >> >> >> On 1/4/2012 3:22 PM, Tom Hendrikx wrote: >>> Hi, >>> >>> The problem is that your logfile does not contain a valid ip address. It >>> seems that fail2ban tries to lookup the ip address belonging to the >>> hostname that was matched, but can't find one. I didn't know f2b could >>> actually do that (quite neat but also dangerous, see below), but it is a >>> poor man's solution. The ftpd knows the actual IP. >>> >>> Since I cannot lookup an IP for the host in your log excerpt too, the >>> problem is not with f2b, but in several other places: >>> - dns lookup for the logged hostname is broken (verified) >>> - where does pure-ftpd get the hostname from if hostname->ip dns lookup >>> is broken? dns ptr lookup? >>> >>> Note that the ptr is not trustworthy: banning an ip based on ip->ptr >>> lookup, then ptr->ip lookup is effectively a DOS attack vector. >>> >>> To make a long story short: focus on getting pure-ftpd to log the ip >>> address. If you can't, consider payed support for it, or consider >>> switching to another product. >>> >>> -- >>> Tom >>> >>> On 04-01-12 20:41, Ben Johnson wrote: >>>> Thank you for the reply, Yaroslav. >>>> >>>> I'm using fail2ban 0.8.6 on Ubuntu 10.04 x64. >>>> >>>> Here is a reproducible test-case: >>>> >>>> # fail2ban-regex "Nov 26 23:38:03 localhost pure-ftpd: >>>> pam_unix(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 >>>> tty=pure-ftpd ruser=theheart rhost=ns2.godolfim.odo.br" ".*pure-ftpd: >>>> .*authentication failure.*rhost=<HOST>" >>>> >>>> And here is the corresponding output: >>>> >>>> -------------------------------------------- OUTPUT >>>> -------------------------------------------- >>>> Running tests >>>> ============= >>>> >>>> Use regex line : .*pure-ftpd: .*authentication failure.*rhost=<HOST> >>>> Use single line: Nov 26 23:38:03 localhost pure-ftpd: pam_unix(pure... >>>> >>>> Correcting deduced year from 2012 to 2011 since 1354001883.000000 > >>>> 1325705651.795554 >>>> Unable to find a corresponding IP address for ns2.godolfim.odo.br >>>> >>>> Results >>>> ======= >>>> >>>> Failregex >>>> |- Regular expressions: >>>> | [1] .*pure-ftpd: .*authentication failure.*rhost=<HOST> >>>> | >>>> `- Number of matches: >>>> [1] 0 match(es) >>>> >>>> Ignoreregex >>>> |- Regular expressions: >>>> | >>>> `- Number of matches: >>>> >>>> Summary >>>> ======= >>>> >>>> Sorry, no match >>>> >>>> Look at the above section 'Running tests' which could contain important >>>> information. >>>> -------------------------------------------- OUTPUT >>>> -------------------------------------------- >>>> >>>> If I use a RegEx tool like http://www.gskinner.com/RegExr/ and paste the >>>> following into the pattern box >>>> >>>> .*pure-ftpd: .*authentication >>>> failure.*rhost=(?:::f{4,6}:)?(?P<host>[\w\-.^_]+) >>>> >>>> and the following into the search-text box >>>> >>>> Nov 26 23:38:03 localhost pure-ftpd: pam_unix(pure-ftpd:auth): >>>> authentication failure; logname= uid=0 euid=0 tty=pure-ftpd >>>> ruser=theheart rhost=ns2.godolfim.odo.br >>>> >>>> I get a match. So, my question is, why is fail2ban-regex stating that no >>>> matches were found, while at the same time displaying the following: >>>> >>>> Correcting deduced year from 2012 to 2011 since 1354001883.000000 > >>>> 1325705651.795554 >>>> Unable to find a corresponding IP address for ns2.godolfim.odo.br >>>> >>>> I'm stumped... >>>> >>>> Thanks! >>>> >>>> >>>> >>>> On 1/4/2012 11:35 AM, Yaroslav Halchenko wrote: >>>>> you can start off by sharing what version of f2b you are using and >>>>> probably running fail2ban-regex using corresponding filter/log file to >>>>> see what entries match and then share a sample of those >>>>> >>>>> On Tue, 03 Jan 2012, Ben Johnson wrote: >>>>> >>>>>> All of a sudden, I'm seeing a problem with the pure-ftpd-mysql jail on >>>>>> one of my servers. I've determined that messages are related to the >>>>>> pure-ftpd(-mysql) jail by disabling that jail (the messages stop). >>>>>> >>>> ------------------------------------------------------------------------------ >>>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex >>>> infrastructure or vast IT resources to deliver seamless, secure access to >>>> virtual desktops. With this all-in-one solution, easily deploy virtual >>>> desktops for less than the cost of PCs and save 60% on VDI infrastructure >>>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox >>>> _______________________________________________ >>>> Fail2ban-users mailing list >>>> Fai...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> ------------------------------------------------------------------------------ >>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex >>> infrastructure or vast IT resources to deliver seamless, secure access to >>> virtual desktops. With this all-in-one solution, easily deploy virtual >>> desktops for less than the cost of PCs and save 60% on VDI infrastructure >>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >> ------------------------------------------------------------------------------ >> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex >> infrastructure or vast IT resources to deliver seamless, secure access to >> virtual desktops. With this all-in-one solution, easily deploy virtual >> desktops for less than the cost of PCs and save 60% on VDI infrastructure >> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
