Difference between revisions of "Talk:Vsftpd"

From Fail2ban
Jump to: navigation, search
(regex for fail2ban 0.8.3 on CentOS5?)
 
(2 intermediate revisions by one other user not shown)
Line 63: Line 63:
 
failregex = .*Client "<HOST>",."530 Permission denied."$
 
failregex = .*Client "<HOST>",."530 Permission denied."$
  
== regex for fail2ban 0.8.3 on CentOS5? ==
+
== regex for fail2ban 0.8.x on CentOS5? ==
  
I'm not sure if this is the right place to ask, so I ask for your patience if not. I've been trying to get a working regex for the vsftpd but to no avail.  The failregex in vsftpd.conf is:
+
The following configuration will allow fail2ban 0.8.4 to work with vsftpd on a Redhat/Centos 5 box (at least it does for me):
  
   #failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>\s*$
+
   $> cat /etc/fail2ban/filter.d/vsftpd.conf
   #            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
+
  ...
 +
  <snip>
 +
 
 +
   failregex = .*Client "<HOST>",."530 Login incorrect."$
 
    
 
    
   failregex = \[. \] FAIL LOGIN: Client "<HOST>"$
+
   <snip>
 
+
The first is what came default and the second is what was suggested here on the page.  I've tweaked it a little, but every time I run fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/vsftpd.conf on any regex variation I get:
+
 
+
  No 'host' group in '/etc/fail2ban/vsftpd.conf'
+
  Cannot remove regular expression. Index 0 is not valid
+
 
   ...
 
   ...
  No 'host' group in '/etc/fail2ban/vsftpd.conf'
 
  Cannot remove regular expression. Index 0 is not valid
 
 
 
  Results
 
  =======
 
 
 
  Failregex
 
  |- Regular expressions:
 
  |  [1] /etc/fail2ban/vsftpd.conf
 
  |
 
  `- Number of matches:
 
    [1] 0 match(es)
 
 
 
  Ignoreregex
 
  |- Regular expressions:
 
  |
 
  `- Number of matches:
 
 
 
  Summary
 
  =======
 
 
 
  Sorry, no match
 
 
 
  Look at the above section 'Running tests' which could contain important
 
  information.
 
  
With the "..." indicating I get TONS of those error messages, they're just all identical. Any ideas?
+
Credit should goto [http://www.linuxquestions.org/questions/linux-security-4/vsftpd-brutte-force-attack-how-to-resolve-ip-705303/ CaptainInsane] though... not me.

Latest revision as of 00:09, 13 December 2009

I had some trouble finding the right regex under Fedora Core 6 (it might works under other FC distro or else), so I thought adding it to the Wiki. I didn't want to be rude by adding it directly to the article but what's the point of discussion if nobody sees it and then comment on it.


Here is my regex again:

\[.+\] \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$

Enjoy


Thank you. However, didn't this work?

\[.+\] FAIL LOGIN: Client "<HOST>"$

Are you using 0.6.2 or 0.7.x? If you use 0.6.2, could you try this?

\[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$

Thank you --Lostcontrol 21:56, 21 January 2007 (CET)

proper regex for fedora core 5

Hi i tried the one you are asking about:

\[.+\] FAIL LOGIN: Client "<HOST>"$

but it didn't work this is the error in the error log

#failregex = \[.+\] FAIL LOGIN: Client "<HOST>"$
2007-03-29 13:41:03,902 ERROR: Please check the format and your locale settings.
2007-03-29 13:41:05,550 ERROR: time data did not match format:  data=Mar 29 13:34:28  fmt=%b %d %H:%M:%S

am currently trying out the format you have suggested for v0.6.2 since its the one i have and get back to you if it doesn't work I will try the fomat that worked for fc6.

I tried your suggested regex and it did not work it's not blocking anything on vsftp let me try the other one and see

it too didn't work on my system am going back to using the following regex since i have had limited success with b4 i find a better one:

Authentication failure|Failed password|Invalid user

the main problem of this regex is that it doesn't ban when user is uknown like below

Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Apr  1 04:15:46 muthii vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=         rhost=123.123.123.123 
Apr  1 04:15:46 muthii vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator

You can eply to me at the following address any assistance will be greatly appreciated:

Samnjugu at gmail com

Generic pam_unix regex for CentOS5

 pam_unix\(\S*:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>

VSFTPD 2 Red Hat Enterprise

Vsftpd 2.0.5-12 for Red Hat Enterprise 5 logs are like:

Fri Sep 19 15:54:55 2008 [pid 15562] [guest] FTP response: Client "202.55.176.81", "530 Permission denied."

So i added a vsftpd.local in /etc/fail2ban/filter.d with

failregex = .*Client "<HOST>",."530 Permission denied."$

regex for fail2ban 0.8.x on CentOS5?

The following configuration will allow fail2ban 0.8.4 to work with vsftpd on a Redhat/Centos 5 box (at least it does for me):

 $> cat /etc/fail2ban/filter.d/vsftpd.conf
 ...
 <snip>
  
 failregex = .*Client "<HOST>",."530 Login incorrect."$
 
 <snip>
 ...

Credit should goto CaptainInsane though... not me.