Menu
▾
▴
Re: [Sshguard-users] pure-ftpd protection not working
|
From: Ville W. <wal...@gm...> - 2012-12-04 06:44:50
|
Hi Mij, Thanks for the reply. With that info I was able to figure it out. The reason for why it wasn't working "out of the box" is that on Ubuntu pure-ftpd logs login failures into /var/log/syslog by default. /var/log/auth.log only gets authentication notices from PAM: Dec 4 00:16:07 moonpod pure-ftpd: pam_unix(pure-ftpd:auth): check pass; user unknown Dec 4 00:16:07 moonpod pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=test123 rhost=workstation.internal.domain Dec 4 00:16:07 moonpod pure-ftpd: pam_winbind(pure-ftpd:auth): getting password (0x00000388) Dec 4 00:16:07 moonpod pure-ftpd: pam_winbind(pure-ftpd:auth): pam_get_item returned a password Once I added syslog to LogSucker (by adding it to "LOGFILES" in /etc/default/sshguard), it started working. The other alternative would've been to separate pure-ftpd login failures into a separate log via rsyslog configuration change (and then point sshguard to that log), but there's probably no harm done by sshguard monitoring the syslog. SSHguard is so much easier to use than blockhosts which I used for many years with FreeBSD. I'm quite happy with it! Keep up the good work! Ville On Fri, Nov 30, 2012 at 4:42 AM, Mij <mi...@ss...> wrote: > Hi Ville, > > Find here the list of generalised messages that sshguard is supposed to > block: > > http://www.sshguard.net/docs/reference/attack-signatures/ > > if your pure-ftpd logs show attacks in different formats, please submit a > sample to > > http://www.sshguard.net/support/attacks/submit/ > > Make sure to include sufficient log context around every attack line. More > is better than less. > > -m > > > On Nov 24, 2012, at 3:09 , Ville Walveranta <wal...@gm...> wrote: > > > I have pure-ftpd 1.0.35-1 installed on Ubuntu 12.04 server along with > sshguard 1.5-4. sshguard is working perfectly with sshd – repeated login > attempts are promptly blocked after five or so failed attempts. > > > > But pure-ftpd logins are not. Pure-ftpd is logging to /var/log/auth.log > like sshd. Do I need to change something in pure-ftpd configuration? > Perhaps use another log format (although I'm not sure if the format > selected for AltLog affects the auth.log entries..)? > > > > Thanks for any insights on this issue! > > > > Ville Walveranta > > > > > ------------------------------------------------------------------------------ > > Monitor your physical, virtual and cloud infrastructure from a single > > web console. Get in-depth insight into apps, servers, databases, vmware, > > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > > Pricing starts from $795 for 25 servers or applications! > > > http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ > > Sshguard-users mailing list > > Ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > > > ------------------------------------------------------------------------------ > Keep yourself connected to Go Parallel: > TUNE You got it built. Now make it sing. Tune shows you how. > http://goparallel.sourceforge.net > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
