Can't get fail2ban to work.

Discussion in 'Server Operation' started by boast, Jun 24, 2007.

  1. boast

    boast New Member

    So I see this in my proftpd logs
    Code:
    Jun 23 21:20:37 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): FTP session opened.
    Jun 23 21:20:38 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Jun 23 21:20:38 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): USER info: no such user found from 211.97.71.198 [211.97.71.198] to 10.0.0.3:21
    Jun 23 21:20:38 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 75962 usecs
    Jun 23 21:20:39 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 2 usecs
    Jun 23 21:20:39 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Jun 23 21:20:39 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): USER info: no such user found from 211.97.71.198 [211.97.71.198] to 10.0.0.3:21
    Jun 23 21:20:40 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 19765 usecs
    Jun 23 21:20:40 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Jun 23 21:20:40 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): USER info: no such user found from 211.97.71.198 [211.97.71.198] to 10.0.0.3:21
    Jun 23 21:20:40 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): Maximum login attempts (3) exceeded
    Jun 23 21:20:40 orangegum.BBNET proftpd[9193] orangegum.BBNET (211.97.71.198[211.97.71.198]): FTP session closed.
    Jun 23 21:20:41 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): FTP session opened.
    Jun 23 21:20:42 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Jun 23 21:20:42 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): USER info: no such user found from 211.97.71.198 [211.97.71.198] to 10.0.0.3:21
    Jun 23 21:20:42 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 238 usecs
    Jun 23 21:20:43 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 149 usecs
    Jun 23 21:20:43 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Jun 23 21:20:43 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): USER info: no such user found from 211.97.71.198 [211.97.71.198] to 10.0.0.3:21
    Jun 23 21:20:43 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 103394 usecs
    Jun 23 21:20:44 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 623 usecs
    Jun 23 21:20:44 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Jun 23 21:20:44 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): USER info: no such user found from 211.97.71.198 [211.97.71.198] to 10.0.0.3:21
    Jun 23 21:20:44 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): Maximum login attempts (3) exceeded
    Jun 23 21:20:44 orangegum.BBNET proftpd[9209] orangegum.BBNET (211.97.71.198[211.97.71.198]): FTP session closed.
    Jun 23 21:20:45 orangegum.BBNET proftpd[9210] orangegum.BBNET (211.97.71.198[211.97.71.198]): FTP session opened.
    Jun 23 21:20:46 orangegum.BBNET proftpd[9210] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Jun 23 21:20:46 orangegum.BBNET proftpd[9210] orangegum.BBNET (211.97.71.198[211.97.71.198]): USER info: no such user found from 211.97.71.198 [211.97.71.198] to 10.0.0.3:21
    Jun 23 21:20:46 orangegum.BBNET proftpd[9210] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 77 usecs
    Jun 23 21:20:46 orangegum.BBNET proftpd[9210] orangegum.BBNET (211.97.71.198[211.97.71.198]): mod_delay/0.5: delaying for 169 usecs
    Jun 23 21:20:47 orangegum.BBNET proftpd[9210] orangegum.BBNET (211.97.71.198[211.97.71.198]): no such user 'info'
    Yet fail2ban log's show nothing.

    I copied everything the tutorial said. But it had logpath pointing to auth.log, but since proftpd has it's own log, I'm not sure if I have it set right.

    Code:
    [proftpd]
    
    enabled  = true
    port     = ftp
    filter   = proftpd
    logpath  = /var/log/proftpd/proftpd.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5
    
    How can I personally test if it works. I don't even know how to ban IP's, I had to shut everything down.


    edit; changing it to
    Code:
    failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
    worked
     
    Last edited: Jul 4, 2007
  2. falko

    falko Super Moderator

    What's gets logged to /var/log/auth.log when an FTP login fails?
     
  3. daveb

    daveb Member

    I had to remove the
    Code:
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    in my jail.local to get it to work on my server.
     

Share This Page