HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   Preventing Brute Force Attacks With Fail2ban On Debian Etch (http://www.howtoforge.com/forums/showthread.php?t=13830)

Jarek Buczyński 4th July 2007 00:08

Preventing Brute Force Attacks With Fail2ban On Debian Etch
 
Hello,

I've installed PureFTP with MySQL authentication.

How configure fail2ban to work with this FTP Server? Default configuration doesn't support this server.

--
Regards,
Jarek

falko 4th July 2007 16:02

Find out in which file PureFTPd logs authentication attempts, and then try to adjust /etc/fail2ban/jail.local.

Jarek Buczyński 6th July 2007 23:21

PureFTP logs authentication attempts to /var/log/auth.log for "normal" users AND for virtual users from database to /var/log/syslog

I added to jail.local:

Code:

[pureftpd]

enabled  = true
port    = ftp
filter  = pureftpd
logpath  = /var/log/auth.log

maxretry = 3

and

Code:

vi filter.d/pureftpd.conf
Code:

[Definition]
failregex = pure-ftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
ignoreregex =

Code:

/etc/init.d/fail2ban restart
Code:


Chain INPUT (policy ACCEPT 5386 packets, 406K bytes)
 pkts bytes target    prot opt in    out    source              destination
    0    0 fail2ban-pureftpd  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:21



Chain fail2ban-pureftpd (1 references)
 pkts bytes target    prot opt in    out    source              destination
    0    0 DROP      0    --  *      *      192.168.10.12            0.0.0.0/0
    0    0 RETURN    0    --  *      *      0.0.0.0/0            0.0.0.0/0

It works when we will tray login as fictional user and system user (auth.log), but doesn't work when we will tray login as virtual user (syslog)?

Syslog output:

Code:

deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
....

Do you have any idea how marge this two logs from auth.log and syslog?



--
Regards

seufert 26th July 2007 02:57

Yer i got it working by using syslog for all failed passwords, rather than auth.log

Code:

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
gnoreregex =

works a treat.

On Debian (etch) you will have to do this, for it to work (or at least i seemed to have to)
Code:

echo "yes" > /etc/pure-ftpd/conf/DontResolve
/etc/init.d/pure-ftpd-mysql restart


Jarek Buczyński 3rd August 2007 19:24

Hi,

Thank you seufert, now works well, even without:

Code:

echo "yes" > /etc/pure-ftpd/conf/DontResolve
thanks

--
Regards
Jarek

nzimas 10th August 2007 18:12

fail2ban not blocking
 
I have followed the minihowto on fail2ban, the daemon seems to be running just fine. However, upon several purposeful brute force logins on SSH from a non-white listed IP, i did not get blocked.

Here's what tail shows:

Code:

e82-103-142-216s:~# tail -f /var/log/fail2ban.log
2007-08-10 17:57:58,810 fail2ban.filter : INFO  Set ignoreregex =
2007-08-10 17:57:58,818 fail2ban.actions.action: INFO  Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-08-10 17:57:58,822 fail2ban.actions.action: INFO  Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-08-10 17:57:58,826 fail2ban.actions.action: INFO  Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-08-10 17:57:58,830 fail2ban.actions.action: INFO  Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-08-10 17:57:58,834 fail2ban.actions.action: INFO  Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name>

Anything missing in my config?

Shall i set iptables 1st?

Regards,
Nuno.

Jarek Buczyński 10th August 2007 19:23

Hi,

It isn't important you have iptables configured or no. Fail2ban adds its own rules make own chains. If you have firewall or don't have it should work.

Look once again at config:

Code:

FAIL - jail.local:
[pureftpd]
enabled  = true
port    = ftp
filter  = pureftpd
logpath  = /var/log/auth.log
maxretry = 3

FAIL - filter.d/pureftpd.conf:
[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
gnoreregex =


/etc/init.d/fail2ban restart

Should work :)


All times are GMT +2. The time now is 08:45.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.