From: Yan H. <ya...@ja...> - 2013-12-06 16:21:22
|
Hi, I've set up fail2ban on a centos server and everything is working fine for my ssh jail (i am receiving alerts and shorewall is banning ips) but somehow, my 2 others, vsftpd and smtp, are processed (I can that they are by monitoring the log upon startup) but never seems to notice any failed logging attempt thus, never taking actions. I have used fail2ban-regex to be sure that my regex were good and they are. For example, let's take my vsftpd jail : *jail status* (it never changes) [root@gw fail2ban]# fail2ban-client status vsftpd6 Status for the jail: vsftpd6 |- filter | |- File list: /mnt/syslog/10.1.0.6/vsftpd.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0 *jail.local content* [vsftpd6] enabled = true filter = vsftpd action = shorewall sendmail-whois[name=VSFTPD, dest=it...@ja...] logpath = /mnt/syslog/10.1.0.6/vsftpd.log maxretry = 2 bantime = -1 *vsftpd filter regex* failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ \[.+\] FAIL LOGIN: Client "<HOST>"\s*$ *Sample of the vsftpd logfile* [root@gw fail2ban]# tail /mnt/syslog/10.1.0.6/vsftpd.log Dec 6 10:10:44 ara vsftpd[3673]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:13:26 ara vsftpd[3763]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:22:03 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:22:51 ara vsftpd[3989]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:25:24 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:25:29 ara vsftpd[4085]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:35:05 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:35:47 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:38:02 ara vsftpd[4334]: [yan] FAIL LOGIN: Client "24.100.220.57" Dec 6 10:47:16 ara vsftpd[4622]: [yan] FAIL LOGIN: Client "24.100.220.57" *fail2ban-regex results* fail2ban-regex /mnt/syslog/10.1.0.6/vsftpd.log '\[.+\] FAIL LOGIN: Client "<HOST>"\s*$' Date template hits: 723 hit(s): MONTH Day Hour:Minute:Second Success, the total number of match is 308 I've been searching for hours but cannot find anything. Any help will be appreciated. |