View Single Post
  #9  
Old 22nd June 2009, 01:34
danielborene danielborene is offline
Junior Member
 
Join Date: Jun 2009
Posts: 24
Thanks: 7
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by till View Post
Please post the content of your /etc/hosts file. Also you can try to disable IPv6 for pureftpd.
This is my /etc/hosts
127.0.0.1 server.synkrotek.net localhost.localdomain localhost
192.168.10.95 server.synkrotek.net server

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

----------------------------------------------------
Ok,
This is what I found out.
The error I was getting on /var/log/fail2ban.log
2009-06-19 21:07:28,487 fail2ban.server : ERROR Unexpected communication error
It's related to the python version, some type o incompatibility with ubuntu 9.04, this is what you have to do to fix this error:
1. Install python2.5 ( sudo aptitude install python2.5 )
2. edit file /usr/bin/fail2ban-server , change the very firs line "#!/usr/bin/python" to "#/usr/bin/python2.5"
3. restart fail2ban

When I connect via FTP with a wrong user/passwd this what I get under /var/log/auth.log
Jun 21 21:03:56 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): check pass; user unknown
Jun 21 21:03:56 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=admin rhost=
*** where rhost= should show the ip address of the host. (This is connecting from a computer on my Network **

But, if I go and open /var/log/message log it shows the hosts ip
Jun 21 22:51:07 server pure-ftpd: (?@192.168.10.100) [INFO] New connection from 192.168.10.100
Jun 21 22:51:11 server pure-ftpd: (?@192.168.10.100) [INFO] PAM_RHOST enabled. Getting the peer address
Jun 21 22:51:17 server pure-ftpd: (?@192.168.10.100) [WARNING] Authentication failed for user [admin]

If I connect from a computer oustide ofmy netwotk, this is what I see inside of /var/log/auth.log
Jun 21 20:20:38 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): check pass; user unknown
Jun 21 20:20:38 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=admin rhost=c-68-32-75-137.hsd1.ga.comcast.net
** Where rhost= is showing ( I dont know what you call full host address like that... ) it should display regular ip address, and I guess fail2ban can not parse this address to iptables because its not a regular ip adrress. Am I correct? **
The same host is shown inside of /var/log/messages displaying full host name.

When I connect from localhost, auth.log shows rhost=server.synkrotek.net

Although, people with regular ip address trying to hack my system had regular ip address, and /var/log/messages display their ip, but not under auth.log (rhost)

Why is fail2ban pure-ftpd is able to get full hostname and not their ip address? what do I have to do?

Last edited by danielborene; 22nd June 2009 at 05:54.
Reply With Quote