HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials - View Single Post

autogun · #15 7th September 2009, 14:27

I'm having a little hard time configuring fail2ban to work with PureFTPd myself,

Everything seems to be configured just like in this thread.

/etc/fail2ban/jail.local

Code:

...
[pure-ftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3
...

/etc/fail2ban/filter.d/pure-ftpd.conf (without comments)

Code:

__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
ignoreregex =

/var/log/messages

Code:

Sep  7 08:07:45 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:46 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [WARNING] Authentication failed for user [admin]
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [WARNING] Authentication failed for user [admin]
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address

/var/log/fail2ban.log

Code:

2009-09-07 08:06:47,777 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-09-07 08:06:47,798 fail2ban.jail   : INFO   Creating new jail 'pure-ftpd'
2009-09-07 08:06:47,798 fail2ban.jail   : INFO   Jail 'pure-ftpd' uses poller
2009-09-07 08:06:47,870 fail2ban.filter : INFO   Added logfile = /var/log/messages
2009-09-07 08:06:47,871 fail2ban.filter : INFO   Set maxRetry = 3
2009-09-07 08:06:47,872 fail2ban.filter : INFO   Set findtime = 600
2009-09-07 08:06:47,873 fail2ban.actions: INFO   Set banTime = 600
2009-09-07 08:06:47,881 fail2ban.jail   : INFO   Creating new jail 'ssh'
2009-09-07 08:06:47,882 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2009-09-07 08:06:47,887 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2009-09-07 08:06:47,887 fail2ban.filter : INFO   Set maxRetry = 3
2009-09-07 08:06:47,889 fail2ban.filter : INFO   Set findtime = 600
2009-09-07 08:06:47,889 fail2ban.actions: INFO   Set banTime = 600
2009-09-07 08:06:47,963 fail2ban.jail   : INFO   Jail 'pure-ftpd' started
2009-09-07 08:06:48,081 fail2ban.jail   : INFO   Jail 'ssh' started

iptables -L output:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-pure-ftpd  tcp  --  anywhere             anywhere            multiport dports ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-pure-ftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Overall - fail2ban bans SSH but not FTP connection attempts... Bummer