Vsftpd
vsftpd, which stands for "Very Secure FTP Daemon", is an FTP server. It is licensed under the GNU General Public License. It supports IPv6 and SSL.
vsftpd is the default FTP server in Ubuntu, Fedora, Red Hat Enterprise Linux and a number of other distributions.
- Tue Jan 23 14:04:09 2007 [pid 55555] [Administrator] FAIL LOGIN: Client "123.123.123.123"
- Jan 23 14:04:14 Fedora6Srv1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=123.123.123.123
- Thu Aug 6 16:01:28 2009 [pid 3501] [username] FTP response: Client "192.20.10.127", "530 Login incorrect."
Failregex
The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.
The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.
Please, before editing this section, propose your changes in the discussion page first.
- vsftpd: .* authentication failure; .* rhost=<HOST>$
- \[. \] FAIL LOGIN: Client "<HOST>"$
- \[.+\] FTP response: Client "<HOST>", "530 Login incorrect."
Problem Solving
Everything seems to work but no hosts are blocked? Try the following steps:
- Run "fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf" (or equal). Do you get a "Success, the total number of match is xyz" message at the end? If not: Check if the logfile entries fits the regexpression in filter.d/vsftpd.conf
- Check the timestamps in the vsftpd.log. You may need to add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf
- Check file: /etc/vsftpd/vsftpd.conf and add the line: "dual_log_enable=YES" without the quotes
