wxman
14th November 2009, 23:08
I'm looking for anyone who has had luck getting fail2ban to work with pure-ftp. I keep getting log entries like:
Nov 14 15:39:05 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
Nov 14 15:39:18 web1 pure-ftpd: (?@60.217.229.228) [INFO] PAM_RHOST enabled. Getting the peer address
Nov 14 15:39:20 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
Nov 14 15:39:32 web1 pure-ftpd: (?@60.217.229.228) [INFO] PAM_RHOST enabled. Getting the peer address
Nov 14 15:39:34 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
my fail2ban failregex for pure-ftpd is now:
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[INFO\] %(__errmsg)s \[.+\]$
So far I haven't blocked a single one.
Nov 14 15:39:05 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
Nov 14 15:39:18 web1 pure-ftpd: (?@60.217.229.228) [INFO] PAM_RHOST enabled. Getting the peer address
Nov 14 15:39:20 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
Nov 14 15:39:32 web1 pure-ftpd: (?@60.217.229.228) [INFO] PAM_RHOST enabled. Getting the peer address
Nov 14 15:39:34 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
my fail2ban failregex for pure-ftpd is now:
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[INFO\] %(__errmsg)s \[.+\]$
So far I haven't blocked a single one.