Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th May 2011, 08:54
baldur2630 baldur2630 is offline
Member
 
Join Date: Jan 2007
Location: Belgium
Posts: 30
Thanks: 3
Thanked 1 Time in 1 Post
Default vsftpd on Fail2ban utterly useless

Fail2ban for vsftpd is a bit of a dead loss. I have it configured along with a few other jails. All the jails seem to work OK except vsftpd. It shows in the log that it's started, but look what I'm getting in my logs and it's EVERY day all different IP addresses. I keep blocking them on the Firewall, but this is IRRITATING and is sapping my bandwidth : -

check pass; user unknown: 4803 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=backup rhost=112.220.98.98 : 558 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrateur rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrateur rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=besadmin rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=information rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=internet rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=remote rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=sales rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=sql_tech rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=student rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=supermarket rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=system rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=user1 rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web rhost=112.220.98.98 : 60 Time(s)

and not a single peep from fail2ban!

It seem that it's the latest version because I had a previous version on a server I shut down a few weeks ago and on that it worked OK

Any ideas anyone?
Reply With Quote
Sponsored Links
  #2  
Old 8th May 2011, 21:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Can you post your csftpd-related fail2ban configuration?

Which distribution do you use?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 8th May 2011, 22:58
baldur2630 baldur2630 is offline
Member
 
Join Date: Jan 2007
Location: Belgium
Posts: 30
Thanks: 3
Thanked 1 Time in 1 Post
Default

CentOS 5.5/6.

[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=fred@xxxxx.com, sender=fail2ban]
logpath = /var/log/secure.log
maxretry = 3
bantime = -1


# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Reply With Quote
  #4  
Old 9th May 2011, 02:18
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

What do you see in /var/log/secure.log when someone tries to log in without success?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 9th May 2011, 07:35
baldur2630 baldur2630 is offline
Member
 
Join Date: Jan 2007
Location: Belgium
Posts: 30
Thanks: 3
Thanked 1 Time in 1 Post
Default

May 1 22:21:43 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:43 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:47 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:47 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:47 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:50 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:50 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:50 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:55 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:55 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:55 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:59 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:59 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:59 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:22:03 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:22:03 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:22:03 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:22:08 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Reply With Quote
  #6  
Old 9th May 2011, 10:08
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

Can you try this regex instead:

Code:
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>$
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 9th May 2011, 10:17
baldur2630 baldur2630 is offline
Member
 
Join Date: Jan 2007
Location: Belgium
Posts: 30
Thanks: 3
Thanked 1 Time in 1 Post
 
Default

bash: syntax error near unexpected token `('
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with Fail2ban florix.net Installation/Configuration 4 26th January 2011 00:53
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Slow download from own FTP (vsftpd + proftpd) Overcrook Installation/Configuration 0 12th January 2010 21:41
Need help with fail2ban on centos 5.3 rlischer Installation/Configuration 3 14th August 2009 11:47
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44


All times are GMT +2. The time now is 03:30.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.