Thread: fail2ban Logs
View Single Post
  #7  
Old 1st April 2009, 17:29
AdrianSmithUK AdrianSmithUK is offline
Junior Member
 
Join Date: Mar 2009
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default Solution

Hi Falco

Many thanks for the help - and sorry - you were right:

I found the solution and I'll document it here for other members with the same problem.

To find where htaccess errors are being recorded:

1. I tried to login to a htaccess protected directory as BillGates

2. After this I searched the whole computer for the string BillGates.

Here is a script that will find the string and pipe it into a text file called "mySearch.txt". It runs as a background job hence the (&) symbol.

Code:
# find / -type f | xargs -n 64 grep BillGates /dev/null >> /home/www/web8/web/mySearch.txt &
3. To check if it has finished or not - type

Code:
# jobs
4. I found - as Falco had said that the htaccess errors were being recorded in:

Code:
/home/www/web[n]/logs
5. Here is a sample from the mySearch.txt log

/home/www/web8/log/error.log:[Wed Apr 01 14:45:56 2009] [error] [client 90.100.39.12] user BillGates not found: /admin
/home/www/web8/log/error.log:[Wed Apr 01 14:45:59 2009] [error] [client 90.100.39.12] user BillGates not found: /admin
/home/www/web8/log/error.log:[Wed Apr 01 14:46:09 2009] [error] [client 90.100.39.12] user BillGates not found: /admin
/home/www/web8/log/error.log:[Wed Apr 01 14:46:12 2009] [error] [client 90.100.39.12] user BillGates not found: /admin



To find where proftp errors are being recorded:

1. I tried to login to an ftp account as RamboBig

2. Again I searched the whole computer for the string RamboBig and piped it into a text file called mySearch1.txt

Code:
find / -type f | xargs -n 64 grep RamboBig /dev/null >> /home/www/web8/web/mySearch1.txt &
3. Again, this is a background job so type the following to see it has finished or not.

Code:
# jobs
4. I found the proftp logs were filed in:

Code:
/var/log/messages
/var/log/secure

5. Here is a sample from the mySearch1.txt log

/var/log/messages:Apr 1 15:56:15 s13398765 proftpd[20565]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - no such user 'RamboBig'
/var/log/messages:Apr 1 15:58:49 s13398765 proftpd[20860]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - no such user 'RamboBig'
/var/log/secure:Apr 1 15:56:15 s13398765 proftpd[20565]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - USER RamboBig: no such user found from host90-152-37-6.ipv4.secureserver.com [90.100.39.12] to 97.100.36.128:21
/var/log/secure:Apr 1 15:58:49 s13398765 proftpd[20860]: s13398765.secureserver.info (host90-100-39-12.ipv4.secureserver.com[90.100.39.12]) - USER RamboBig: no such user found from host90-152-37-6.ipv4.secureserver.com [90.100.39.12] to 97.100.36.128:21

I hope this helps anybody who is treading the same path as me.

Kind Regards,

Adrian Smith

Last edited by AdrianSmithUK; 1st April 2009 at 17:32.
Reply With Quote