Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 22nd June 2009, 14:00
danielborene danielborene is offline
Junior Member
 
Join Date: Jun 2009
Posts: 24
Thanks: 7
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by till View Post
Not all IP adresses have a reverse dns record, so you often do not get a hostname for an IP, thats absolutely normal. If there is an reverse record like in your test case, then the hostname and not IP is logged. If you wont only IP addresses in the log, then enable the DontResolve option in your pureftpd configuration.
I have enabled this DontResolve, and the problem persist under auth.log no ip address at all is showing for "rhost"
now, under /var/log/messages, used to shows dns name as well, and now is showing the ip addres.

So, pure-ftpd is able to post the ip address under log messages, but not under auth.log
Why?

Last edited by danielborene; 22nd June 2009 at 14:16.
Reply With Quote
Sponsored Links
  #12  
Old 24th June 2009, 06:42
danielborene danielborene is offline
Junior Member
 
Join Date: Jun 2009
Posts: 24
Thanks: 7
Thanked 2 Times in 1 Post
Default

I Finnaly found out what was wrong with it...
My server is based on this howto:
The Perfect Server - Ubuntu 9.04 [ISPConfig 3]
http://www.howtoforge.com/perfect-se...04-ispconfig-3

I don't know why, but all the information I found online to make pure-ftpd work with fail2ban tells to read log /var/log/auth.log I dont know if other distributions uses auth.log... but after analyzing /etc/fail2ban/filter.d/pure-ftpd.conf and log files... auth.log is not the right file.. I switch to /var/log/messages
its working now..
so my jail.local pure-ftpd looks like this..
...
[pure-ftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3
....

Also had to enable DontResolve to get IP only no DNS, under /etc/pure-ftpd/conf/
Create a file called DontResolve, edit it, and type yes on the first line.

Thanks fot all you help Till.
Reply With Quote
  #13  
Old 6th September 2009, 22:04
rayne127 rayne127 is offline
Junior Member
 
Join Date: Sep 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I hate to bring up an old topic... but I'm having a similar issue with fail2ban and pure-ftpd.

I set up my server following the directions here (The Perfect Server - Fedora 10) only on Fedora 11.

I have been searching for a way to get fail2ban to work with pure-ftpd, and every solution is not working. I've edited my jail.conf file to include

Code:
[pure-ftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
and when I try to restart fail2ban, it fails to start. However, it starts just fine when I comment out the pure-ftpd settings. I've tried everything I could think of to get it to work, yet I'm not able to find anything to get it going.

Any help would be great!
Reply With Quote
  #14  
Old 7th September 2009, 13:06
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Is there a pure-ftpd filter in /etc/fail2ban/filter.d/?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #15  
Old 7th September 2009, 14:27
autogun autogun is offline
Member
 
Join Date: Sep 2009
Posts: 69
Thanks: 9
Thanked 5 Times in 5 Posts
Default

I'm having a little hard time configuring fail2ban to work with PureFTPd myself,

Everything seems to be configured just like in this thread.

/etc/fail2ban/jail.local
Code:
...
[pure-ftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3
...
/etc/fail2ban/filter.d/pure-ftpd.conf (without comments)
Code:
__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
ignoreregex =
/var/log/messages
Code:
Sep  7 08:07:45 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:46 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [WARNING] Authentication failed for user [admin]
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:48 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [WARNING] Authentication failed for user [admin]
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] New connection from 93.172.249.100
Sep  7 08:07:51 ispconfig pure-ftpd: (?@93.172.249.100) [INFO] PAM_RHOST enabled. Getting the peer address
/var/log/fail2ban.log
Code:
2009-09-07 08:06:47,777 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-09-07 08:06:47,798 fail2ban.jail   : INFO   Creating new jail 'pure-ftpd'
2009-09-07 08:06:47,798 fail2ban.jail   : INFO   Jail 'pure-ftpd' uses poller
2009-09-07 08:06:47,870 fail2ban.filter : INFO   Added logfile = /var/log/messages
2009-09-07 08:06:47,871 fail2ban.filter : INFO   Set maxRetry = 3
2009-09-07 08:06:47,872 fail2ban.filter : INFO   Set findtime = 600
2009-09-07 08:06:47,873 fail2ban.actions: INFO   Set banTime = 600
2009-09-07 08:06:47,881 fail2ban.jail   : INFO   Creating new jail 'ssh'
2009-09-07 08:06:47,882 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2009-09-07 08:06:47,887 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2009-09-07 08:06:47,887 fail2ban.filter : INFO   Set maxRetry = 3
2009-09-07 08:06:47,889 fail2ban.filter : INFO   Set findtime = 600
2009-09-07 08:06:47,889 fail2ban.actions: INFO   Set banTime = 600
2009-09-07 08:06:47,963 fail2ban.jail   : INFO   Jail 'pure-ftpd' started
2009-09-07 08:06:48,081 fail2ban.jail   : INFO   Jail 'ssh' started
iptables -L output:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-pure-ftpd  tcp  --  anywhere             anywhere            multiport dports ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-pure-ftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Overall - fail2ban bans SSH but not FTP connection attempts... Bummer
Reply With Quote
  #16  
Old 7th September 2009, 16:26
rayne127 rayne127 is offline
Junior Member
 
Join Date: Sep 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yes, there is a pure-ftpd in filter.d and it's set up just like the previous post has it.

I don't get any errors in my error log to show, since fail2ban will not even start when I try using the pure-ftpd filter.
Reply With Quote
  #17  
Old 8th September 2009, 13:53
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Can you post your full /etc/fail2ban/jail.local?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #18  
Old 9th September 2009, 11:30
jysse jysse is offline
Member
 
Join Date: Aug 2005
Location: Laihia, Finland
Posts: 31
Thanks: 0
Thanked 3 Times in 1 Post
Default

Here is how I managed to make this work.
Debian Lenny, ISPConfig3

If I understood correct there was an error in Debian's pure-ftpd filter. Correct line in /etc/fail2ban/filter.d/pure-ftpd.conf should be:
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$

Here is my jail.conf lines for pure-ftpd:

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 2

Hope this helps !

jysse
Reply With Quote
The Following 3 Users Say Thank You to jysse For This Useful Post:
autogun (9th September 2009), bswinnerton (9th March 2010), PermaNoob (1st February 2013)
  #19  
Old 9th September 2009, 12:04
autogun autogun is offline
Member
 
Join Date: Sep 2009
Posts: 69
Thanks: 9
Thanked 5 Times in 5 Posts
Default

Thank you so much, jysse!

I've change my original line from -
Code:
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
to yours -
Code:
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
Works like a charm =D

Code:
2009-09-09 06:01:33,551 fail2ban.actions: WARNING [pure-ftpd] Ban XX.XXX.249.100
Reply With Quote
  #20  
Old 5th January 2012, 14:31
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 368
Thanks: 25
Thanked 47 Times in 42 Posts
 
Default Sorry to ressurrect an old thread...

Hello, everyone,

I'm running ISPConfig 3.0.4.1, on Ubuntu 10.04, with pure-ftpd-mysql.

My goal is to render fail2ban effective for FTP, sFTP (over SSH), and FTPs (over SSL or TLS).

It seems that the "ssh" fail2ban jail will handle sFTP, but that pure-ftpd-mysql must handle FTP and FTPs (both over port 21).

fail2ban comes with a pure-ftpd jail, but I haven't been using it because up until recently, I thought that pure-ftpd-mysql was logging failed authentication attempts to /var/log/auth.log (which it wasn't -- at least not directly), so I created my own jail and filter that were -mysql-specific. (More on this in a moment.)

It bears mention that pure-ftpd-mysql is a bit different from the standard pure-ftpd implementation because it uses virtual user mapping via MySQL. Most individuals who have followed the "Perfect Server" tutorials for Ubuntu and Debian (and possibly other OSs) will have this variation of pureFTPd.

In particular, the primary difference I've noticed with pure-ftpd-mysql vs. a "stock" pureFTPd configuration is that pure-ftpd-mysql does not log failed authentication attempts (or anything else, it would seem) to /var/log/messages. I don't know whether I failed to enable a given setting or if this behavior is by design.

pure-ftpd-mysql does, however, log authentication failures to /var/log/syslog.

The secondary difference I've noticed is that this version of pureFTPd stores its configuration options in individual files within the /etc/pure-ftpd/conf directory. Virtually all of the documentation on pureFTPd states that configuration options must be passed as command-line arguments, or an equivalent wrapper must be used with configuration files. So, I assume that there is a wrapper for these configuration files.

I've read through this thread (any many others like it) in an effort to configure fail2ban to respond to a certain type of attack in which the hostname does not resolve to a valid IP address. I have described the details of such attacks in the fail2ban mailing list archives: http://sourceforge.net/mailarchive/f...fail2ban-users

After seeing my logs flooded with

Code:
fail2ban.filter : WARNING Unable to find a corresponding IP address for
example.com
I thought, "Well, that's easy. I'll just force pure-ftpd-mysql to log IP addresses only and not hostnames." Of course, I was looking in /var/log/auth.log because I had seen pure-ftpd-mysql messages there before. As it turns-out, the messages in this log seem to be generated by PAM, during the pure-ftpd-mysql's authentication process, and so the presence of /etc/pure-ftpd/conf/DontResolve was having no effect on these log entries. (However, this directive was affecting the log entries in /var/log/syslog, but I didn't realize that at the time.)

To bring this full-circle, it seems that the ideal solution is to use the pure-ftpd jail that comes with fail2ban, and point it to /var/log/syslog. The problem here is that the provided regex (which has been corrected since the comments just before mine in this thread were made) does not seem to match the entries in /var/log/syslog.

To demonstrate, we can use fail2ban's regex facility. The log entries look like this:

Code:
Jan  4 17:34:29 localhost pure-ftpd: (?@1.2.3.4) [INFO] New connection from 1.2.3.4
Jan  4 17:34:29 localhost pure-ftpd: (?@1.2.3.4) [INFO] PAM_RHOST enabled. Getting the peer address
Jan  4 17:34:36 localhost pure-ftpd: (?@1.2.3.4) [WARNING] Authentication failed for user [test]
Jan  4 17:34:36 localhost pure-ftpd: (?@1.2.3.4) [INFO] Logout.
and the regex that is included with fail2ban looks like this:

Code:
pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
It seems that we'd need to replace the __errmsg variable with the string that's assigned to it in /etc/fail2ban/filter.d/pure-ftpd.conf, and reduce the 4-line log entry to a single line, before running the arguments through fail2ban-regex, e.g.:

Code:
root@localhost:~# fail2ban-regex "Jan  4 17:34:29 localhost pure-ftpd: (?@1.2.4.3) [INFO] New connection from 1.2.4.3 Jan  4 17:34:29 localhost pure-ftpd: (?@1.2.4.3) [INFO] PAM_RHOST enabled. Getting the peer address Jan  4 17:34:36 localhost pure-ftpd: (?@1.2.4.3) [WARNING] Authentication failed for user [test] Jan  4 17:34:36 localhost pure-ftpd: (?@1.2.4.3) [INFO] Logout." "pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(Authentication failed for user)s \[.+\]\s*$"
Unfortunately, this yields no matches:

Code:
Running tests
=============

Use regex line : pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] ...
Use single line: Jan  4 17:34:29 localhost pure-ftpd: (?@1.2.4.3) [...


Results
=======

Failregex
|- Regular expressions:
|  [1] pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(Authentication failed for user)s \[.+\]\s*$
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
I'm no expert in PCRE, so if anyone knows what I might be missing here, please chime-in!

I think that covers everything. My mention of this problem on the fail2ban mailing list has generated a longer discussion as to whether or not fail2ban should perform any hostname lookups; the argument goes that doing so provides a potential attack vector. So, this seems to be a problem worthy of everyone's attention who uses pure-ftpd-mysql and fail2ban.

Thanks in advance!

Last edited by cbj4074; 5th January 2012 at 14:33.
Reply With Quote
Reply

Bookmarks

Tags
email, ftp, ispconfig 3, secuirty

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP cannot open remote folder!?! andysm849 Server Operation 23 16th October 2008 23:34
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server) Derekman9 HOWTO-Related Questions 1 15th October 2008 13:35
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server) madman045 HOWTO-Related Questions 4 1st May 2008 20:45
Can't start apache Musty Server Operation 12 9th March 2008 13:58
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig aaa999 Server Operation 8 20th December 2007 16:30


All times are GMT +2. The time now is 08:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.