#1  
Old 16th October 2009, 10:45
admins admins is offline
Senior Member
 
Join Date: Apr 2009
Location: Switzerland
Posts: 210
Thanks: 6
Thanked 2 Times in 2 Posts
Default fail2ban pureftp

Hi all

Who has a possibility to add pureftp protection for fail2ban?

thanks
admins
Reply With Quote
Sponsored Links
  #2  
Old 16th October 2009, 10:49
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

Quote:
Originally Posted by admins View Post
Hi all

Who has a possibility to add pureftp protection for fail2ban?

thanks
admins

This is my config that wortks under Debian Lenny and ISConfig 3:

/etc/fail2ban/jail.conf

Code:
#
# FTP servers
#

[pure-ftpd]

enabled  = true
port     = ftp
filter   = pure-ftpd
logpath  = /var/log/messages
maxretry = 3
/etc/fail2ban/filter.d/pure-ftpd.conf

This is correct failregex for Debian Lenny:

Code:
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
Restart your fail2ban and now fail2ban and pure-ftpd works as it should.

You can always tweak maxretry parameter to suit your needs.
Reply With Quote
The Following 2 Users Say Thank You to damir For This Useful Post:
admins (16th October 2009), Buzzen (21st October 2009)
  #3  
Old 8th February 2010, 15:10
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 12 Times in 7 Posts
Default

I stumbled upon this for a "Unable to find a corresponding IP address" issue with fail2ban.

I noticed that there's a typo at the end of your failregex ( although yours seem to work fine )

so for completeness here's the latest official one

Code:
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
__________________
Windows, the only virus you pay for
Reply With Quote
The Following 2 Users Say Thank You to Djamu For This Useful Post:
falko (9th February 2010), till (9th February 2010)
  #4  
Old 4th September 2010, 08:07
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 260
Thanked 145 Times in 127 Posts
Default

Sorry to bringup this old post, but could someone here please post his "jail.conf" and "jail.local ?
I've deleted my version, and can not get fail2ban to ban anything anymore :-(
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #5  
Old 5th September 2010, 17:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

This is what I have on my ISPConfig 2 server:

jail.conf:

Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

# Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local

# Default action to take: ban & send an e-mail with whois report
# to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois[name=%(__name__)s, dest=%(destemail)s]

# Default action to take: ban & send an e-mail with whois report
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]

# Next jails corresponds to the standard configuration in Fail2ban 0.6
# which was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 6


[proftpd]

enabled  = false
port     = ftp
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port     = smtp
filter   = postfix
logpath  = /var/log/postfix.log


[couriersmtp]

enabled  = false
port     = smtp
filter   = couriersmtp
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
jail.local:

Code:
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost.localdomain

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled  = false
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 5


[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]

enabled  = false
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 5


[postfix]

enabled  = false
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = false
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = false
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[sasl]

enabled  = false
port     = smtp
filter   = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath  = /var/log/mail.log
maxretry = 5
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
edge (5th September 2010)
  #6  
Old 5th September 2010, 19:12
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,256
Thanks: 210
Thanked 648 Times in 294 Posts
Send a message via Skype™ to Hans
Default

@edge,
I see that falko gave you the config files already.

Beware that the configuration for PureFTPd is not in these files. You can add the configuration for PureFTPd as mentioned earlier in this thread.
__________________
Hans

BB-Hosting | Quality Web Hosting since 2005
Reply With Quote
The Following User Says Thank You to Hans For This Useful Post:
edge (5th September 2010)
  #7  
Old 5th September 2010, 19:23
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 260
Thanked 145 Times in 127 Posts
Default

Will give it an other go later today.

Thank you for the info.
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #8  
Old 5th September 2010, 19:30
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,256
Thanks: 210
Thanked 648 Times in 294 Posts
Send a message via Skype™ to Hans
Default

If you want to start from scratch again with fail2ban, maybe the easiest way is to do:

apt-get remove --purge fail2ban
(this removes fail2ban including the fail2ban config files)
apt-get install fail2ban
(to install it again)
After that edit the config files as mentioned above.
If you use ISPConfig3 (as i think) also have a look here:
__________________
Hans

BB-Hosting | Quality Web Hosting since 2005
Reply With Quote
  #9  
Old 8th November 2010, 10:29
Toxin Toxin is offline
Junior Member
 
Join Date: Oct 2010
Posts: 11
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hi everyones,

I tryed to apply this hint to my Fedora 13 (64) Perfect Server but:

If I add the :

Code:
[pure-ftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 6
in /etc/fail2ban/jail.conf

When I restart fail2ban [service fail2ban restart]
It failed, if I remove the added rules it works fine.

Can someone helps to add Fail2Ban on pure-ftpd on Fedora,
I getting borred to have huge log of login try with unknown users.

Thanks
Reply With Quote
  #10  
Old 8th November 2010, 11:51
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 260
Thanked 145 Times in 127 Posts
 
Default

As a wiseman is always saying here.
What does the logfile (in this case fail2ban.log) say?
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Fail2Ban fails to ban :-) Wandering-Aimlessly Installation/Configuration 14 18th August 2009 16:37
Need help with fail2ban on centos 5.3 rlischer Installation/Configuration 3 14th August 2009 11:47
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 20:16


All times are GMT +2. The time now is 04:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.