Re: [Fail2ban-users] fail2ban.filter : WARNING Unable to find a corresponding IP address for [hostname]

[Lee C. <ja...@le...>]

On 01/07/2012 04:46 PM, Ben Johnson wrote:
> I have managed to resolve my particular issue with pureFTPd(-mysql).
>
> My goal was to render fail2ban effective for FTP, sFTP (over SSH), and
> FTPs (over SSL or TLS).
>
> It bears mention that ISPConfig is installed on the server in question,
> although, I'm not sure that this detail is relevant. I include it only
> because I don't know why pure-ftpd(-mysql) logs its authentication
> failures to /var/log/syslog on this machine (instead of
> /var/log/messages as described in the pure-ftpd documentation); it is
> possible that ISPConfig introduces this behavior. Also, ISPConfig
> generates the files /etc/pure-ftpd/auth/30mysql and
> /etc/pure-ftpd/db/mysql.conf.
>
> More information is available in my post on the ISPConfig forums:
> http://www.howtoforge.com/forums/showpost.php?p=270863&postcount=20
>
> The problem was, in fact, several-fold:
>
> 1.) The pure-ftp-mysql jail must instruct fail2ban to monitor
> /var/log/syslog (and NOT /var/log/auth.log, which was missing valid IP
> addresses per my initial post in this thread). The only reason I was
> using /var/log/auth.log in the first place is that I wanted fail2ban to
> act on all ports on which pure-ftp-mysql listens (FTP, sFTP, FTPs), and
> watching one log (instead of one for SSH and one for FTP) seemed simplest.
>
> 2.) The regular expression included with the "pure-ftpd" jail does not
> match the log entries that pure-ftpd-mysql writes to /var/log/syslog; a
> new filter and regular expression must be added.
>
> 3.) pureFTPd must be in instructed not to resolve IP addresses by
> creating the file /etc/pure-ftpd/conf/DontResolve and populating the
> file with the string "yes".
>
> I'm still not sure why pam_unix is logging failed authentication
> messages to /var/log/auth.log when pure-ftpd-mysql detects an
> authentication failure. Granted, the files /etc/pure-ftpd/auth/70pam and
> /etc/pure-ftpd/conf/PAMAuthentication exist (and contain the string
> "yes"). Could it be that the MySQL authentication module for pureFTPd
> does indeed use PAM?

PAM likely isn't doing the rDNS lookup, it's being told the rHost, so it
logs the rHost....