Re: [Fail2ban-users] Fail2ban partially working

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Woo Hoo!

Glad I could help.

-----Original Message-----
From: Yan Hudon <ya...@ja...>
To: fail2ban-users <fai...@li...>
Sent: Fri, Dec 6, 2013 10:21 am
Subject: [Fail2ban-users] Fail2ban partially working

    Hi,

    I've set up fail2ban on a centos server and everything is working    fine for my ssh jail (i am receiving alerts and shorewall is banning    ips) but somehow, my 2 others, vsftpd and smtp, are processed (I can    that they are by monitoring the log upon startup) but never seems to    notice any failed logging attempt thus, never taking actions.

    I have used fail2ban-regex to be sure that my regex were good and    they are.

    For example, let's take my vsftpd jail :

    jail status (it never changes)

    [root@gw fail2ban]# fail2ban-client status vsftpd6
    Status for the jail: vsftpd6
    |- filter
    |  |- File list:    /mnt/syslog/10.1.0.6/vsftpd.log 
    |  |- Currently failed:    0
    |  `- Total failed:    0
    `- action
       |- Currently banned:    0
       |  `- IP list:    
       `- Total banned:    0

    jail.local content

    [vsftpd6]

    enabled = true
    filter = vsftpd
    action = shorewall
                   sendmail-whois[name=VSFTPD, dest=it...@ja...]
    logpath = /mnt/syslog/10.1.0.6/vsftpd.log
    maxretry = 2
    bantime = -1

    vsftpd filter regex

    failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication    failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
                \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

    Sample of the vsftpd logfile

    [root@gw fail2ban]# tail /mnt/syslog/10.1.0.6/vsftpd.log 
    Dec  6 10:10:44 ara vsftpd[3673]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:13:26 ara vsftpd[3763]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:22:03 ara vsftpd[3989]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:22:51 ara vsftpd[3989]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:25:24 ara vsftpd[4085]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:25:29 ara vsftpd[4085]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:35:05 ara vsftpd[4334]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:35:47 ara vsftpd[4334]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:38:02 ara vsftpd[4334]: [yan] FAIL LOGIN: Client    "24.100.220.57"
    Dec  6 10:47:16 ara vsftpd[4622]: [yan] FAIL LOGIN: Client    "24.100.220.57"

    fail2ban-regex results

    fail2ban-regex /mnt/syslog/10.1.0.6/vsftpd.log '\[.+\] FAIL LOGIN:    Client "<HOST>"\s*$'

    Date template hits:
    723 hit(s): MONTH Day Hour:Minute:Second

    Success, the total number of match is 308

    I've been searching for hours but cannot find anything. 

    Any help will be appreciated.

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

_______________________________________________
Fail2ban-users mailing list
Fai...@li...
https://lists.sourceforge.net/lists/listinfo/fail2ban-users