Preventing Brute Force Attacks With Fail2ban On Debian Etch

Discussion in 'HOWTO-Related Questions' started by Jarek Buczyński, Jul 4, 2007.

  1. Jarek Buczyński

    Jarek Buczyński New Member

    Hello,

    I've installed PureFTP with MySQL authentication.

    How configure fail2ban to work with this FTP Server? Default configuration doesn't support this server.

    --
    Regards,
    Jarek
     
  2. falko

    falko Super Moderator

    Find out in which file PureFTPd logs authentication attempts, and then try to adjust /etc/fail2ban/jail.local.
     
  3. Jarek Buczyński

    Jarek Buczyński New Member

    PureFTP logs authentication attempts to /var/log/auth.log for "normal" users AND for virtual users from database to /var/log/syslog

    I added to jail.local:

    Code:
    [pureftpd]
    
    enabled  = true
    port     = ftp
    filter   = pureftpd
    logpath  = /var/log/auth.log
    
    maxretry = 3
    and

    Code:
    vi filter.d/pureftpd.conf
    Code:
    [Definition]
    failregex = pure-ftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    ignoreregex =
    Code:
    /etc/init.d/fail2ban restart
    
    Code:
    
    Chain INPUT (policy ACCEPT 5386 packets, 406K bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 fail2ban-pureftpd  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21
    
    
    
    Chain fail2ban-pureftpd (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       0    --  *      *       192.168.10.12            0.0.0.0/0
        0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0
    
    It works when we will tray login as fictional user and system user (auth.log), but doesn't work when we will tray login as virtual user (syslog)?

    Syslog output:

    Code:
    deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
    deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
    deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
    deb pure-ftpd: (?@comp10.domain.com) [INFO] New connection from comp10.domain.com
    deb pure-ftpd: (?@comp10.domain.com) [INFO] Logout.
    deb pure-ftpd: (?@comp10.domain.com) [WARNING] Authentication failed for user [user1]
    ....
    Do you have any idea how marge this two logs from auth.log and syslog?



    --
    Regards
     
    Last edited: Jul 6, 2007
  4. seufert

    seufert New Member

    Yer i got it working by using syslog for all failed passwords, rather than auth.log

    Code:
    [Definition]
    failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
    gnoreregex =
    works a treat.

    On Debian (etch) you will have to do this, for it to work (or at least i seemed to have to)
    Code:
    echo "yes" > /etc/pure-ftpd/conf/DontResolve
    /etc/init.d/pure-ftpd-mysql restart
     
  5. Jarek Buczyński

    Jarek Buczyński New Member

    Hi,

    Thank you seufert, now works well, even without:

    Code:
    echo "yes" > /etc/pure-ftpd/conf/DontResolve
    thanks

    --
    Regards
    Jarek
     
  6. nzimas

    nzimas New Member

    fail2ban not blocking

    I have followed the minihowto on fail2ban, the daemon seems to be running just fine. However, upon several purposeful brute force logins on SSH from a non-white listed IP, i did not get blocked.

    Here's what tail shows:

    Code:
    e82-103-142-216s:~# tail -f /var/log/fail2ban.log
    2007-08-10 17:57:58,810 fail2ban.filter : INFO   Set ignoreregex =
    2007-08-10 17:57:58,818 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
    2007-08-10 17:57:58,822 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
    iptables -F fail2ban-<name>
    iptables -X fail2ban-<name>
    2007-08-10 17:57:58,826 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
    iptables -A fail2ban-<name> -j RETURN
    iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
    2007-08-10 17:57:58,830 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
    2007-08-10 17:57:58,834 fail2ban.actions.action: INFO   Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name>
    
    Anything missing in my config?

    Shall i set iptables 1st?

    Regards,
    Nuno.
     
  7. Jarek Buczyński

    Jarek Buczyński New Member

    Hi,

    It isn't important you have iptables configured or no. Fail2ban adds its own rules make own chains. If you have firewall or don't have it should work.

    Look once again at config:

    Code:
    FAIL - jail.local:
    [pureftpd]
    enabled  = true
    port     = ftp
    filter   = pureftpd
    logpath  = /var/log/auth.log
    maxretry = 3
    
    FAIL - filter.d/pureftpd.conf:
    [Definition]
    failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
    gnoreregex =
    
    
    /etc/init.d/fail2ban restart
    
    Should work :)
     

Share This Page