View Single Post
  #15  
Old 7th September 2009, 14:27
autogun autogun is offline
Member
 
Join Date: Sep 2009
Posts: 69
Thanks: 9
Thanked 5 Times in 5 Posts
Default

I'm having a little hard time configuring fail2ban to work with PureFTPd myself,

Everything seems to be configured just like in this thread.

/etc/fail2ban/jail.local
Code:
...
[pure-ftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3
...
/etc/fail2ban/filter.d/pure-ftpd.conf (without comments)
Code:
__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
ignoreregex =
/var/log/messages
Code:
Sep  7 08:07:45 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:46 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [WARNING] Authentication failed for user [admin]
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [WARNING] Authentication failed for user [admin]
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
/var/log/fail2ban.log
Code:
2009-09-07 08:06:47,777 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-09-07 08:06:47,798 fail2ban.jail   : INFO   Creating new jail 'pure-ftpd'
2009-09-07 08:06:47,798 fail2ban.jail   : INFO   Jail 'pure-ftpd' uses poller
2009-09-07 08:06:47,870 fail2ban.filter : INFO   Added logfile = /var/log/messages
2009-09-07 08:06:47,871 fail2ban.filter : INFO   Set maxRetry = 3
2009-09-07 08:06:47,872 fail2ban.filter : INFO   Set findtime = 600
2009-09-07 08:06:47,873 fail2ban.actions: INFO   Set banTime = 600
2009-09-07 08:06:47,881 fail2ban.jail   : INFO   Creating new jail 'ssh'
2009-09-07 08:06:47,882 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2009-09-07 08:06:47,887 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2009-09-07 08:06:47,887 fail2ban.filter : INFO   Set maxRetry = 3
2009-09-07 08:06:47,889 fail2ban.filter : INFO   Set findtime = 600
2009-09-07 08:06:47,889 fail2ban.actions: INFO   Set banTime = 600
2009-09-07 08:06:47,963 fail2ban.jail   : INFO   Jail 'pure-ftpd' started
2009-09-07 08:06:48,081 fail2ban.jail   : INFO   Jail 'ssh' started
iptables -L output:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-pure-ftpd  tcp  --  anywhere             anywhere            multiport dports ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-pure-ftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Overall - fail2ban bans SSH but not FTP connection attempts... Bummer
Reply With Quote