View Single Post
  #3  
Old 6th July 2007, 23:21
Jarek Buczyński Jarek Buczyński is offline
Junior Member
 
Join Date: Jun 2007
Posts: 8
Thanks: 1
Thanked 0 Times in 0 Posts
Default

PureFTP logs authentication attempts to /var/log/auth.log for "normal" users AND for virtual users from database to /var/log/syslog

I added to jail.local:

Code:
[pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/auth.log

maxretry = 3
and

Code:
vi filter.d/pureftpd.conf
Code:
[Definition]
failregex = pure-ftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
ignoreregex =
Code:
/etc/init.d/fail2ban restart
Code:
Chain INPUT (policy ACCEPT 5386 packets, 406K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 fail2ban-pureftpd  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21



Chain fail2ban-pureftpd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      *       192.168.10.12            0.0.0.0/0
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0
It works when we will tray login as fictional user and system user (auth.log), but doesn't work when we will tray login as virtual user (syslog)?

Syslog output:

Code:
deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
....
Do you have any idea how marge this two logs from auth.log and syslog?



--
Regards

Last edited by Jarek Buczyński; 6th July 2007 at 23:45.
Reply With Quote