Difference between revisions of "Talk:ProFTPd"
From Fail2ban
Jump to navigationJump to search (hRKZhIAjnWAhVGRl) |
m |
||
| (16 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ | |
| − | < | + | |
| + | /var/log/secure:Jul 3 14:33:30 xkmail proftpd[12639]: xkmail.hopto.org | ||
| + | (pe1950-2.sni.ne.jp[61.7.1.109]) - USER adriana: no such user found from | ||
| + | pe1950-2.sni.ne.jp [61.7.1.109] to 71.105.58.80:21 | ||
| + | |||
| + | I got hit by this about 1400 times today but fail2ban did not jail ip address. | ||
| + | |||
| + | Is the jail.conf wrong? | ||
| + | kevin@xkmail.hopto.org ver .80 fedora 4 | ||
| + | |||
| + | <pre> | ||
| + | # Fail2Ban configuration file | ||
| + | # | ||
| + | # Author: Yaroslav Halchenko | ||
| + | # | ||
| + | # $Revision: 510 $ | ||
| + | # | ||
| + | |||
| + | [Definition] | ||
| + | |||
| + | # Option: failregex | ||
| + | # Notes.: regex to match the password failures messages in the logfile. The | ||
| + | # host must be matched by a group named "host". The tag "<HOST>" can | ||
| + | # be used for standard IP/hostname matching and is only an alias for | ||
| + | # (?:::f{4,6}:)?(?P<host>\S+) | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ | ||
| + | |||
| + | # Option: ignoreregex | ||
| + | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | ignoreregex = | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | As Yaroslav Halchenko mentioned right in the mailing list each failregex has | ||
| + | to contain \s+$ at the end, expect the one for "no such user found from" there | ||
| + | is a \s* for zero or more whitespaces needed. | ||
| + | |||
| + | [Definition] | ||
| + | |||
| + | # Option: failregex | ||
| + | # Notes.: regex to match the password failures messages in the logfile. The | ||
| + | # host must be matched by a group named "host". The tag "<HOST>" can | ||
| + | # be used for standard IP/hostname matching and is only an alias for | ||
| + | # (?:::f{4,6}:)?(?P<host>\S+) | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | # failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$ | ||
| + | failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+\s*$ | ||
| + | \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.\s+$ | ||
| + | \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found\.\s+$ | ||
| + | \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.\s+$ | ||
| + | \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded\s+$ | ||
| + | |||
| + | # Option: ignoreregex | ||
| + | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
| + | # Values: TEXT | ||
| + | # | ||
| + | ignoreregex = | ||
| + | |||
| + | I've just tested it with fail2ban 0.8.2-3 on Debian etch 4.0 Before this change i had also the problem, | ||
| + | that fail2ban didn't react on bad login attempts on ftp. | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | Latest working settings for ProFTPD on CentOS 5+: | ||
| + | |||
| + | Set jail.conf proftpd section to log /var/log/secure | ||
| + | |||
| + | Edit regex setting in /etc/fail2ban/filter.d/proftpd.conf | ||
| + | |||
| + | replace existing regex setting with this one: | ||
| + | |||
| + | failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$ | ||
| + | ^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$ | ||
| + | ^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$ | ||
| + | ^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$ | ||
| + | |||
| + | Test with: -regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf | ||
| + | </pre> | ||
Latest revision as of 03:51, 6 October 2011
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
/var/log/secure:Jul 3 14:33:30 xkmail proftpd[12639]: xkmail.hopto.org (pe1950-2.sni.ne.jp[61.7.1.109]) - USER adriana: no such user found from pe1950-2.sni.ne.jp [61.7.1.109] to 71.105.58.80:21
I got hit by this about 1400 times today but fail2ban did not jail ip address.
Is the jail.conf wrong? kevin@xkmail.hopto.org ver .80 fedora 4
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
As Yaroslav Halchenko mentioned right in the mailing list each failregex has
to contain \s+$ at the end, expect the one for "no such user found from" there
is a \s* for zero or more whitespaces needed.
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+\s*$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.\s+$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found\.\s+$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.\s+$
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded\s+$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
I've just tested it with fail2ban 0.8.2-3 on Debian etch 4.0 Before this change i had also the problem,
that fail2ban didn't react on bad login attempts on ftp.
Latest working settings for ProFTPD on CentOS 5+: Set jail.conf proftpd section to log /var/log/secure Edit regex setting in /etc/fail2ban/filter.d/proftpd.conf replace existing regex setting with this one: failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$ ^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$ ^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$ ^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$ Test with: -regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf
