Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 5th January 2012, 14:39
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,405
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
Default

I tested the fail2ban setup that is described in the perfect setup guide for debian 6 on my test server here and it blocked the pure-ftpd-mysql login attemps correctly in my tests:

http://www.howtoforge.com/perfect-se...ispconfig-3-p5

Maybe you enabled debugging in pure-ftpd which changes the log style or something similar?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 5th January 2012 at 14:41.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
cbj4074 (5th January 2012)
Sponsored Links
  #22  
Old 5th January 2012, 17:29
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
Default

I wish I had seen that link earlier . Thanks for pointing me in the right direction, Till.

The cited tutorial contains the correct information regarding the log location (/var/log/syslog), which is good to see.

However, when I change my fail2ban configuration to match that in the tutorial, I'm never banned in my tests.

I have not changed the pure-ftpd configuration or logging options, for what that's worth.

I tried passing the sample log line and regex from the tutorial to fail2ban-regex, and a match is found, so I'm not sure why I'm never banned. I have made sure that my IP address is not white-listed in the fail2ban configuration.

With fail2ban's loglevel = 3, nothing is logged when I repeatedly fail authentication. The maxretry threshold is set to 3, and I've tried dozens of times -- still nothing.

If I set fail2ban's loglevel = 4, there is simply too much output for me to sort-out the log entries.

Is this a question for the fail2ban mailing list?

Unfortunately, I've introduced another issue while attempting to troubleshoot this one.

I forced a log rotation for all logs when I meant to force a rotation only for /var/log/auth.log. (I wanted to force a rotation because this file was some 400MB in size, and parsing it with fail2ban-regex was taking too long.) Now, nothing is being written to /var/log/auth.log. If I tail the file, and for example, log-in via SSH, nothing is written to the log. After a day or so, the log is still empty. Why might rotating the log cause this behavior?

The files look like this:

Code:
-rw-r-----  1 syslog   adm         0 Jan  4 09:49 auth.log
-rw-r-----  1 syslog   adm      376M Jan  5 08:32 auth.log.1
EDIT: Now that I look at these dates, I realize that the auth.log.1 file is the one being modified, not auth.log.

I should add that auth.log was never being rotated (which is why it was 376MB in size), so I created the file /etc/logrotate.d/auth and populated it with the following contents:

Code:
/var/log/auth.log {
	weekly
	rotate 12
}
I forced the log rotation after creating this file, if I recall correctly.

The relevant entry in /etc/syslog.conf looks correct:

Code:
auth,authpriv.*          -/var/log/auth.log
Any idea why this would cause the .1 log file to become the primary log? Is there a simple way to fix this?

Last edited by cbj4074; 5th January 2012 at 17:43. Reason: Added ls -lah output for affected log files.
Reply With Quote
  #23  
Old 5th January 2012, 20:06
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
Default

Okay, all is well, finally.

When I removed the file I had created at /etc/logrotate.d/auth, the system began logging to /var/log/auth.log again.

Even though the pure-ftpd-mysql jail in fail2ban was not monitoring this file (it was monitoring /var/log/syslog), the fact that /var/log/auth.log was empty seemed to keep fail2ban from banning via the pure-ftpd-mysql jail. This is strange, given that fail2ban continued banning for other jails, such as postfix.

I don't know why /var/log/auth.log is never rotated on this system, because I have other systems that are nearly identical on which that log is rotated every three days.

Once I sort that, I'll be a happy camper!
Reply With Quote
  #24  
Old 16th March 2012, 08:04
enqx enqx is offline
Junior Member
 
Join Date: Jan 2011
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Smile

Quote:
Originally Posted by autogun View Post
Thank you so much, jysse!

I've change my original line from -
Code:
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
to yours -
Code:
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
Works like a charm =D

Code:
2009-09-09 06:01:33,551 fail2ban.actions: WARNING [pure-ftpd] Ban XX.XXX.249.100
THIS WORKED on ISPCONFIG 3.0.4.3 and Debian Lenny.
Reply With Quote
  #25  
Old 1st February 2013, 23:37
PermaNoob PermaNoob is offline
Senior Member
 
Join Date: Jan 2007
Posts: 194
Thanks: 12
Thanked 5 Times in 5 Posts
 
Default

Quote:
Originally Posted by jysse View Post
Here is how I managed to make this work.
Debian Lenny, ISPConfig3

If I understood correct there was an error in Debian's pure-ftpd filter. Correct line in /etc/fail2ban/filter.d/pure-ftpd.conf should be:
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$

Here is my jail.conf lines for pure-ftpd:

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 2

Hope this helps !

jysse
Thanks a lot--that missing \ in ])?: (.+?@<HOST>) sure caused a lot of trouble, including having Hetzner take my server offline for 6 hours because of the pure-ftpd attacks that weren't being blocked.

Last edited by PermaNoob; 1st February 2013 at 23:40.
Reply With Quote
Reply

Bookmarks

Tags
email, ftp, ispconfig 3, secuirty

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP cannot open remote folder!?! andysm849 Server Operation 23 16th October 2008 23:34
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server) Derekman9 HOWTO-Related Questions 1 15th October 2008 13:35
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server) madman045 HOWTO-Related Questions 4 1st May 2008 20:45
Can't start apache Musty Server Operation 12 9th March 2008 13:58
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig aaa999 Server Operation 8 20th December 2007 16:30


All times are GMT +2. The time now is 04:27.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.