HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   fail2ban pureftp (http://www.howtoforge.com/forums/showthread.php?t=40177)

admins 16th October 2009 10:45

fail2ban pureftp
 
Hi all

Who has a possibility to add pureftp protection for fail2ban?

thanks
admins

damir 16th October 2009 10:49

Quote:

Originally Posted by admins (Post 207609)
Hi all

Who has a possibility to add pureftp protection for fail2ban?

thanks
admins


This is my config that wortks under Debian Lenny and ISConfig 3:

/etc/fail2ban/jail.conf

Code:

#
# FTP servers
#

[pure-ftpd]

enabled  = true
port    = ftp
filter  = pure-ftpd
logpath  = /var/log/messages
maxretry = 3

/etc/fail2ban/filter.d/pure-ftpd.conf

This is correct failregex for Debian Lenny:

Code:

failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
Restart your fail2ban and now fail2ban and pure-ftpd works as it should.

You can always tweak maxretry parameter to suit your needs.

Djamu 8th February 2010 15:10

I stumbled upon this for a "Unable to find a corresponding IP address" issue with fail2ban.

I noticed that there's a typo at the end of your failregex ( although yours seem to work fine )

so for completeness here's the latest official one

Code:

failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$

edge 4th September 2010 08:07

Sorry to bringup this old post, but could someone here please post his "jail.conf" and "jail.local ?
I've deleted my version, and can not get fail2ban to ban anything anymore :-(

falko 5th September 2010 17:56

This is what I have on my ISPConfig 2 server:

jail.conf:

Code:

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

# Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local

# Default action to take: ban & send an e-mail with whois report
# to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois[name=%(__name__)s, dest=%(destemail)s]

# Default action to take: ban & send an e-mail with whois report
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]

# Next jails corresponds to the standard configuration in Fail2ban 0.6
# which was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled  = false
port    = ftp
filter  = vsftpd
logpath  = /var/log/auth.log
maxretry = 6


[proftpd]

enabled  = false
port    = ftp
filter  = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port    = ftp
filter  = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port    = smtp
filter  = postfix
logpath  = /var/log/postfix.log


[couriersmtp]

enabled  = false
port    = smtp
filter  = couriersmtp
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port    = smtp
filter  = sasl
logpath  = /var/log/mail.log

jail.local:

Code:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost.localdomain

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled  = false
port    = ftp
filter  = vsftpd
logpath  = /var/log/auth.log
maxretry = 5


[proftpd]

enabled  = true
port    = ftp
filter  = proftpd
logpath  = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]

enabled  = false
port    = ftp
filter  = wuftpd
logpath  = /var/log/auth.log
maxretry = 5


[postfix]

enabled  = false
port    = smtp
filter  = postfix
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = false
port    = pop3
filter  = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = false
port    = imap2
filter  = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[sasl]

enabled  = false
port    = smtp
filter  = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath  = /var/log/mail.log
maxretry = 5


Hans 5th September 2010 19:12

@edge,
I see that falko gave you the config files already.

Beware that the configuration for PureFTPd is not in these files. You can add the configuration for PureFTPd as mentioned earlier in this thread.

edge 5th September 2010 19:23

Will give it an other go later today.

Thank you for the info.

Hans 5th September 2010 19:30

If you want to start from scratch again with fail2ban, maybe the easiest way is to do:

apt-get remove --purge fail2ban
(this removes fail2ban including the fail2ban config files)
apt-get install fail2ban
(to install it again)
After that edit the config files as mentioned above.
If you use ISPConfig3 (as i think) also have a look here:

Toxin 8th November 2010 10:29

Hi everyones,

I tryed to apply this hint to my Fedora 13 (64) Perfect Server but:

If I add the :

Code:

[pure-ftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 6

in /etc/fail2ban/jail.conf

When I restart fail2ban [service fail2ban restart]
It failed, if I remove the added rules it works fine.

Can someone helps to add Fail2Ban on pure-ftpd on Fedora,
I getting borred to have huge log of login try with unknown users.

Thanks

edge 8th November 2010 11:51

As a wiseman is always saying here.
What does the logfile (in this case fail2ban.log) say?


All times are GMT +2. The time now is 09:48.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.