fail2ban pureftp

Discussion in 'Installation/Configuration' started by admins, Oct 16, 2009.

  1. admins

    admins Member HowtoForge Supporter

    Hi all

    Who has a possibility to add pureftp protection for fail2ban?

    thanks
    admins
     
  2. damir

    damir New Member


    This is my config that wortks under Debian Lenny and ISConfig 3:

    /etc/fail2ban/jail.conf

    Code:
    #
    # FTP servers
    #
    
    [pure-ftpd]
    
    enabled  = true
    port     = ftp
    filter   = pure-ftpd
    logpath  = /var/log/messages
    maxretry = 3
    /etc/fail2ban/filter.d/pure-ftpd.conf

    This is correct failregex for Debian Lenny:

    Code:
    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
    Restart your fail2ban and now fail2ban and pure-ftpd works as it should.

    You can always tweak maxretry parameter to suit your needs.
     
  3. Djamu

    Djamu New Member

    I stumbled upon this for a "Unable to find a corresponding IP address" issue with fail2ban.

    I noticed that there's a typo at the end of your failregex ( although yours seem to work fine )

    so for completeness here's the latest official one

    Code:
    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
    
     
  4. edge

    edge Active Member Moderator

    Sorry to bringup this old post, but could someone here please post his "jail.conf" and "jail.local ?
    I've deleted my version, and can not get fail2ban to ban anything anymore :-(
     
  5. falko

    falko Super Moderator ISPConfig Developer

    This is what I have on my ISPConfig 2 server:

    jail.conf:

    Code:
    # Fail2Ban configuration file.
    #
    # This file was composed for Debian systems from the original one
    #  provided now under /usr/share/doc/fail2ban/examples/jail.conf
    #  for additional examples.
    #
    # To avoid merges during upgrades DO NOT MODIFY THIS FILE
    # and rather provide your changes in /etc/fail2ban/jail.local
    #
    # Author: Yaroslav O. Halchenko <debian@onerussian.com>
    #
    # $Revision: 281 $
    #
    
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = root@localhost
    
    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    # Following actions can be chosen as an alternatives to the above action.
    # To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
    # into jail.local
    
    # Default action to take: ban & send an e-mail with whois report
    # to the destemail.
    # action = iptables[name=%(__name__)s, port=%(port)s]
    #          mail-whois[name=%(__name__)s, dest=%(destemail)s]
    
    # Default action to take: ban & send an e-mail with whois report
    # and relevant log lines to the destemail.
    # action = iptables[name=%(__name__)s, port=%(port)s]
    #          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
    
    # Next jails corresponds to the standard configuration in Fail2ban 0.6
    # which was shipped in Debian. Please enable any defined here jail by including
    #
    # [SECTION_NAME]
    # enabled = true
    #
    # in /etc/fail2ban/jail.local.
    #
    
    [ssh]
    
    enabled = true
    port    = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    #
    # HTTP servers
    #
    
    [apache]
    
    enabled = false
    port    = http
    filter  = apache-auth
    logpath = /var/log/apache*/*access.log
    maxretry = 6
    
    
    [apache-noscript]
    
    enabled = false
    port    = http
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 6
    
    #
    # FTP servers
    #
    
    [vsftpd]
    
    enabled  = false
    port     = ftp
    filter   = vsftpd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    [proftpd]
    
    enabled  = false
    port     = ftp
    filter   = proftpd
    logpath  = /var/log/proftpd/proftpd.log
    maxretry = 6
    
    
    [wuftpd]
    
    enabled  = false
    port     = ftp
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    #
    # Mail servers
    #
    
    [postfix]
    
    enabled  = false
    port     = smtp
    filter   = postfix
    logpath  = /var/log/postfix.log
    
    
    [couriersmtp]
    
    enabled  = false
    port     = smtp
    filter   = couriersmtp
    logpath  = /var/log/mail.log
    
    
    [sasl]
    
    enabled  = false
    port     = smtp
    filter   = sasl
    logpath  = /var/log/mail.log
    jail.local:

    Code:
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = root@localhost.localdomain
    
    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    
    [ssh]
    
    enabled = true
    port    = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [apache]
    
    enabled = true
    port    = http
    filter  = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [apache-noscript]
    
    enabled = false
    port    = http
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [vsftpd]
    
    enabled  = false
    port     = ftp
    filter   = vsftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [proftpd]
    
    enabled  = true
    port     = ftp
    filter   = proftpd
    logpath  = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5
    
    
    [wuftpd]
    
    enabled  = false
    port     = ftp
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [postfix]
    
    enabled  = false
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierpop3]
    
    enabled  = false
    port     = pop3
    filter   = courierlogin
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierimap]
    
    enabled  = false
    port     = imap2
    filter   = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [sasl]
    
    enabled  = false
    port     = smtp
    filter   = sasl
    failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    logpath  = /var/log/mail.log
    maxretry = 5
     
  6. Hans

    Hans Moderator ISPConfig Developer

    @edge,
    I see that falko gave you the config files already.

    Beware that the configuration for PureFTPd is not in these files. You can add the configuration for PureFTPd as mentioned earlier in this thread.
     
  7. edge

    edge Active Member Moderator

    Will give it an other go later today.

    Thank you for the info.
     
  8. Hans

    Hans Moderator ISPConfig Developer

    If you want to start from scratch again with fail2ban, maybe the easiest way is to do:

    apt-get remove --purge fail2ban
    (this removes fail2ban including the fail2ban config files)
    apt-get install fail2ban
    (to install it again)
    After that edit the config files as mentioned above.
    If you use ISPConfig3 (as i think) also have a look here:
     
  9. Toxin

    Toxin New Member

    Hi everyones,

    I tryed to apply this hint to my Fedora 13 (64) Perfect Server but:

    If I add the :

    Code:
    [pure-ftpd]
    
    enabled = true
    port = ftp,ftp-data,ftps,ftps-data
    filter = pure-ftpd
    logpath = /var/log/messages
    maxretry = 6
    in /etc/fail2ban/jail.conf

    When I restart fail2ban [service fail2ban restart]
    It failed, if I remove the added rules it works fine.

    Can someone helps to add Fail2Ban on pure-ftpd on Fedora,
    I getting borred to have huge log of login try with unknown users.

    Thanks
     
  10. edge

    edge Active Member Moderator

    As a wiseman is always saying here.
    What does the logfile (in this case fail2ban.log) say?
     
  11. Toxin

    Toxin New Member

    That's the problem, i don't have any fail2ban.log file in /var/log

    I create the file myself, and try again to add the lines in fail.conf

    Still having an error (this is I think normal) but nothing is written in the log file ...
     
    Last edited: Nov 8, 2010
  12. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    ls -la /etc/fail2ban/filter.d/
    ?
     
  13. Toxin

    Toxin New Member

    Here it is:

    Code:
    [root@skynet ~]# ls -la /etc/fail2ban/filter.d/
    total 116
    drwxr-xr-x 2 root root 4096 30 juil. 17:41 .
    drwxr-xr-x 4 root root 4096 30 juil. 17:41 ..
    -rw-r--r-- 1 root root  711  8 févr.  2009 apache-auth.conf
    -rw-r--r-- 1 root root 2396  5 mars   2008 apache-badbots.conf
    -rw-r--r-- 1 root root  628 13 oct.   2008 apache-nohome.conf
    -rw-r--r-- 1 root root  763  8 févr.  2009 apache-noscript.conf
    -rw-r--r-- 1 root root  444  5 mars   2008 apache-overflows.conf
    -rw-r--r-- 1 root root 1039  8 févr.  2009 common.conf
    -rw-r--r-- 1 root root  616  8 févr.  2009 courierlogin.conf
    -rw-r--r-- 1 root root  591  8 févr.  2009 couriersmtp.conf
    -rw-r--r-- 1 root root 1012  8 févr.  2009 cyrus-imap.conf
    -rw-r--r-- 1 root root  613  8 févr.  2009 exim.conf
    -rw-r--r-- 1 root root  447 22 mai    2008 gssftpd.conf
    -rw-r--r-- 1 root root  397 30 août   2009 lighttpd-fastcgi.conf
    -rw-r--r-- 1 root root 1013  9 févr.  2009 named-refused.conf
    -rw-r--r-- 1 root root  870 22 mai    2008 pam-generic.conf
    -rw-r--r-- 1 root root  867 30 août   2009 php-url-fopen.conf
    -rw-r--r-- 1 root root  591  8 févr.  2009 postfix.conf
    -rw-r--r-- 1 root root  878  8 févr.  2009 proftpd.conf
    -rw-r--r-- 1 root root  886  8 nov.  10:19 pure-ftpd.conf
    -rw-r--r-- 1 root root  606  8 févr.  2009 qmail.conf
    -rw-r--r-- 1 root root  679  8 févr.  2009 sasl.conf
    -rw-r--r-- 1 root root  581  3 févr.  2009 sieve.conf
    -rw-r--r-- 1 root root 1648  8 févr.  2009 sshd.conf
    -rw-r--r-- 1 root root  627  8 févr.  2009 sshd-ddos.conf
    -rw-r--r-- 1 root root  700  8 févr.  2009 vsftpd.conf
    -rw-r--r-- 1 root root  827  8 févr.  2009 webmin-auth.conf
    -rw-r--r-- 1 root root  437 22 mai    2008 wuftpd.conf
    -rw-r--r-- 1 root root  848  8 févr.  2009 xinetd-fail.conf
    [root@skynet ~]#
    

    Contents of pure-ftp.conf
    Code:
    [root@skynet ~]# cat /etc/fail2ban/filter.d/pure-ftpd.conf
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    # Modified: Yaroslav Halchenko for pure-ftpd
    #
    # $Revision: 3$
    #
    
    [Definition]
    
    # Error message specified in multiple languages
    __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
    
    #
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #         host must be matched by a group named "host". The tag "<HOST>" can
    #         be used for standard IP/hostname matching and is only an alias for
    #         (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    #failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
    
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    
    [root@skynet ~]#
    cat /etc/fail2ban/filter.d/pure-ftpd.conf
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    # Modified: Yaroslav Halchenko for pure-ftpd
    #
    # $Revision: 3$
    #
    
    [Definition]
    
    # Error message specified in multiple languages
    __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
    
    #
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #         host must be matched by a group named "host". The tag "<HOST>" can
    #         be used for standard IP/hostname matching and is only an alias for
    #         (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    #failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
    
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    
    [root@skynet ~]#
    
     
    Last edited: Nov 9, 2010
  14. Toxin

    Toxin New Member

    Thanks to the French Fedora web site I've found the error,
    "action" was missing in the jail.conf

    Code:
    [pure-ftpd]
    
    enabled = true
    port = ftp,ftp-data,ftps,ftps-data
    filter = pure-ftpd
    action   = iptables[name=PUREFTP, port=ftp, protocol=tcp]
               sendmail-whois[name=PUREFTP, dest=you@mail.com]
    logpath = /var/log/messages
    maxretry = 6
    
    Now it works perfect, no more errors on start of Fail2ban
     

Share This Page