I'm running ISPConfig 126.96.36.199, on Ubuntu 10.04, with pure-ftpd-mysql.
My goal is to render fail2ban effective for FTP, sFTP (over SSH), and FTPs (over SSL or TLS).
It seems that the "ssh" fail2ban jail will handle sFTP, but that pure-ftpd-mysql must handle FTP and FTPs (both over port 21).
fail2ban comes with a pure-ftpd jail, but I haven't been using it because up until recently, I thought that pure-ftpd-mysql was logging failed authentication attempts to /var/log/auth.log
(which it wasn't -- at least not directly), so I created my own jail and filter that were -mysql-specific. (More on this in a moment.)
It bears mention that pure-ftpd-mysql is a bit different from the standard pure-ftpd implementation because it uses virtual user mapping via MySQL. Most individuals who have followed the "Perfect Server" tutorials for Ubuntu and Debian (and possibly other OSs) will have this variation of pureFTPd.
In particular, the primary difference I've noticed with pure-ftpd-mysql vs. a "stock" pureFTPd configuration is that pure-ftpd-mysql does not log failed authentication attempts (or anything else, it would seem) to /var/log/messages
. I don't know whether I failed to enable a given setting or if this behavior is by design.
pure-ftpd-mysql does, however, log authentication failures to /var/log/syslog
The secondary difference I've noticed is that this version of pureFTPd stores its configuration options in individual files within the /etc/pure-ftpd/conf
directory. Virtually all of the documentation on pureFTPd states that configuration options must be passed as command-line arguments, or an equivalent wrapper must be used with configuration files. So, I assume that there is a wrapper for these configuration files.
I've read through this thread (any many others like it) in an effort to configure fail2ban to respond to a certain type of attack in which the hostname does not resolve to a valid IP address. I have described the details of such attacks in the fail2ban mailing list archives: http://sourceforge.net/mailarchive/f...fail2ban-users
After seeing my logs flooded with
fail2ban.filter : WARNING Unable to find a corresponding IP address for
I thought, "Well, that's easy. I'll just force pure-ftpd-mysql to log IP addresses only and not hostnames." Of course, I was looking in /var/log/auth.log
because I had seen pure-ftpd-mysql messages there before. As it turns-out, the messages in this log seem to be generated by PAM, during the pure-ftpd-mysql's authentication process, and so the presence of /etc/pure-ftpd/conf/DontResolve
was having no effect on these log entries. (However, this directive was
affecting the log entries in /var/log/syslog
, but I didn't realize that at the time.)
To bring this full-circle, it seems that the ideal solution is to use the pure-ftpd jail that comes with fail2ban, and point it to /var/log/syslog
. The problem here is that the provided regex (which has been corrected since the comments just before mine in this thread were made) does not seem to match the entries in /var/log/syslog
To demonstrate, we can use fail2ban's regex facility. The log entries look like this:
Jan 4 17:34:29 localhost pure-ftpd: (?@188.8.131.52) [INFO] New connection from 184.108.40.206
Jan 4 17:34:29 localhost pure-ftpd: (?@220.127.116.11) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 4 17:34:36 localhost pure-ftpd: (?@18.104.22.168) [WARNING] Authentication failed for user [test]
Jan 4 17:34:36 localhost pure-ftpd: (?@22.214.171.124) [INFO] Logout.
and the regex that is included with fail2ban looks like this:
pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
It seems that we'd need to replace the __errmsg variable with the string that's assigned to it in /etc/fail2ban/filter.d/pure-ftpd.conf
, and reduce the 4-line log entry to a single line, before running the arguments through fail2ban-regex
root@localhost:~# fail2ban-regex "Jan 4 17:34:29 localhost pure-ftpd: (?@126.96.36.199) [INFO] New connection from 188.8.131.52 Jan 4 17:34:29 localhost pure-ftpd: (?@184.108.40.206) [INFO] PAM_RHOST enabled. Getting the peer address Jan 4 17:34:36 localhost pure-ftpd: (?@220.127.116.11) [WARNING] Authentication failed for user [test] Jan 4 17:34:36 localhost pure-ftpd: (?@18.104.22.168) [INFO] Logout." "pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(Authentication failed for user)s \[.+\]\s*$"
Unfortunately, this yields no matches:
Use regex line : pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] ...
Use single line: Jan 4 17:34:29 localhost pure-ftpd: (?@22.214.171.124) [...
|- Regular expressions:
|  pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(Authentication failed for user)s \[.+\]\s*$
`- Number of matches:
 0 match(es)
|- Regular expressions:
`- Number of matches:
Sorry, no match
Look at the above section 'Running tests' which could contain important
I'm no expert in PCRE, so if anyone knows what I might be missing here, please chime-in!
I think that covers everything. My mention of this problem on the fail2ban mailing list has generated a longer discussion as to whether or not fail2ban should perform any
hostname lookups; the argument goes that doing so provides a potential attack vector. So, this seems to be a problem worthy of everyone's attention who uses pure-ftpd-mysql and fail2ban.
Thanks in advance!