Hello, I've installed PureFTP with MySQL authentication. How configure fail2ban to work with this FTP Server? Default configuration doesn't support this server. -- Regards, Jarek
Find out in which file PureFTPd logs authentication attempts, and then try to adjust /etc/fail2ban/jail.local.
PureFTP logs authentication attempts to /var/log/auth.log for "normal" users AND for virtual users from database to /var/log/syslog I added to jail.local: Code: [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/auth.log maxretry = 3 and Code: vi filter.d/pureftpd.conf Code: [Definition] failregex = pure-ftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> ignoreregex = Code: /etc/init.d/fail2ban restart Code: Chain INPUT (policy ACCEPT 5386 packets, 406K bytes) pkts bytes target prot opt in out source destination 0 0 fail2ban-pureftpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain fail2ban-pureftpd (1 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * * 192.168.10.12 0.0.0.0/0 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 It works when we will tray login as fictional user and system user (auth.log), but doesn't work when we will tray login as virtual user (syslog)? Syslog output: Code: deb pure-ftpd: ([email protected]) [INFO] New connection from comp10.domain.com deb pure-ftpd: ([email protected]) [INFO] Logout. deb pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user1] deb pure-ftpd: ([email protected]) [INFO] New connection from comp10.domain.com deb pure-ftpd: ([email protected]) [INFO] Logout. deb pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user1] .... Do you have any idea how marge this two logs from auth.log and syslog? -- Regards
Yer i got it working by using syslog for all failed passwords, rather than auth.log Code: [Definition] failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.* gnoreregex = works a treat. On Debian (etch) you will have to do this, for it to work (or at least i seemed to have to) Code: echo "yes" > /etc/pure-ftpd/conf/DontResolve /etc/init.d/pure-ftpd-mysql restart
Hi, Thank you seufert, now works well, even without: Code: echo "yes" > /etc/pure-ftpd/conf/DontResolve thanks -- Regards Jarek
fail2ban not blocking I have followed the minihowto on fail2ban, the daemon seems to be running just fine. However, upon several purposeful brute force logins on SSH from a non-white listed IP, i did not get blocked. Here's what tail shows: Code: e82-103-142-216s:~# tail -f /var/log/fail2ban.log 2007-08-10 17:57:58,810 fail2ban.filter : INFO Set ignoreregex = 2007-08-10 17:57:58,818 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 2007-08-10 17:57:58,822 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> 2007-08-10 17:57:58,826 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> 2007-08-10 17:57:58,830 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP 2007-08-10 17:57:58,834 fail2ban.actions.action: INFO Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name> Anything missing in my config? Shall i set iptables 1st? Regards, Nuno.
Hi, It isn't important you have iptables configured or no. Fail2ban adds its own rules make own chains. If you have firewall or don't have it should work. Look once again at config: Code: FAIL - jail.local: [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/auth.log maxretry = 3 FAIL - filter.d/pureftpd.conf: [Definition] failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.* gnoreregex = /etc/init.d/fail2ban restart Should work