Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions
Reload this Page Preventing Brute Force Attacks With Fail2ban On Debian Etch
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th July 2007, 00:08
Jarek Buczyński Jarek Buczyński is offline
Junior Member
  
Join Date: Jun 2007
Posts: 8
Thanks: 1
Thanked 0 Times in 0 Posts
Default Preventing Brute Force Attacks With Fail2ban On Debian Etch
Hello,

I've installed PureFTP with MySQL authentication.

How configure fail2ban to work with this FTP Server? Default configuration doesn't support this server.

--
Regards,
Jarek
Reply With Quote
Sponsored Links
  #2  
Old 4th July 2007, 16:02
falko falko is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,593 Times in 2,444 Posts
Default
Find out in which file PureFTPd logs authentication attempts, and then try to adjust /etc/fail2ban/jail.local.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 6th July 2007, 23:21
Jarek Buczyński Jarek Buczyński is offline
Junior Member
  
Join Date: Jun 2007
Posts: 8
Thanks: 1
Thanked 0 Times in 0 Posts
Default
PureFTP logs authentication attempts to /var/log/auth.log for "normal" users AND for virtual users from database to /var/log/syslog

I added to jail.local:

Code:
[pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/auth.log

maxretry = 3
and

Code:
vi filter.d/pureftpd.conf
Code:
[Definition]
failregex = pure-ftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
ignoreregex =
Code:
/etc/init.d/fail2ban restart
Code:
Chain INPUT (policy ACCEPT 5386 packets, 406K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 fail2ban-pureftpd  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21



Chain fail2ban-pureftpd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      *       192.168.10.12            0.0.0.0/0
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0
It works when we will tray login as fictional user and system user (auth.log), but doesn't work when we will tray login as virtual user (syslog)?

Syslog output:

Code:
deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
....
Do you have any idea how marge this two logs from auth.log and syslog?



--
Regards
Last edited by Jarek Buczyński; 6th July 2007 at 23:45.
Reply With Quote
  #4  
Old 26th July 2007, 02:57
seufert seufert is offline
Junior Member
  
Join Date: Jul 2007
Posts: 1
Thanks: 0
Thanked 1 Time in 1 Post
Default
Yer i got it working by using syslog for all failed passwords, rather than auth.log

Code:
[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
gnoreregex =
works a treat.

On Debian (etch) you will have to do this, for it to work (or at least i seemed to have to)
Code:
echo "yes" > /etc/pure-ftpd/conf/DontResolve
/etc/init.d/pure-ftpd-mysql restart
Reply With Quote
The Following User Says Thank You to seufert For This Useful Post:
Jarek Buczyński (3rd August 2007)
  #5  
Old 3rd August 2007, 19:24
Jarek Buczyński Jarek Buczyński is offline
Junior Member
  
Join Date: Jun 2007
Posts: 8
Thanks: 1
Thanked 0 Times in 0 Posts
Default
Hi,

Thank you seufert, now works well, even without:

Code:
echo "yes" > /etc/pure-ftpd/conf/DontResolve
thanks

--
Regards
Jarek
Reply With Quote
  #6  
Old 10th August 2007, 18:12
nzimas nzimas is offline
Member
  
Join Date: May 2007
Posts: 46
Thanks: 0
Thanked 0 Times in 0 Posts
Default fail2ban not blocking
I have followed the minihowto on fail2ban, the daemon seems to be running just fine. However, upon several purposeful brute force logins on SSH from a non-white listed IP, i did not get blocked.

Here's what tail shows:

Code:
e82-103-142-216s:~# tail -f /var/log/fail2ban.log
2007-08-10 17:57:58,810 fail2ban.filter : INFO   Set ignoreregex =
2007-08-10 17:57:58,818 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-08-10 17:57:58,822 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-08-10 17:57:58,826 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-08-10 17:57:58,830 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-08-10 17:57:58,834 fail2ban.actions.action: INFO   Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name>
Anything missing in my config?

Shall i set iptables 1st?

Regards,
Nuno.
Reply With Quote
  #7  
Old 10th August 2007, 19:23
Jarek Buczyński Jarek Buczyński is offline
Junior Member
  
Join Date: Jun 2007
Posts: 8
Thanks: 1
Thanked 0 Times in 0 Posts
Default
Hi,

It isn't important you have iptables configured or no. Fail2ban adds its own rules make own chains. If you have firewall or don't have it should work.

Look once again at config:

Code:
FAIL - jail.local:
[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/auth.log
maxretry = 3

FAIL - filter.d/pureftpd.conf:
[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
gnoreregex =


/etc/init.d/fail2ban restart
Should work
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian Etch (Debian 4.0) apache2 file needed Dekalb Installation/Configuration 3 1st June 2007 23:40
sshD brute force attacks: pam_abl to prevent Pasco Installation/Configuration 4 3rd May 2007 13:34
Bind Failed christoph2k HOWTO-Related Questions 4 28th April 2007 00:57
Pls Help - Problem installing OpenVZ with Debian Etch. joelee HOWTO-Related Questions 3 14th January 2007 18:37
e-mail problem!!! Debian 3.1 maroonworks Installation/Configuration 18 6th December 2005 14:42


All times are GMT +2. The time now is 21:44.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.