I need advise for fixing a config in fail2ban: Code: :~# systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-07-25 18:35:01 BST; 1 day 18h ago Docs: man:fail2ban(1) Main PID: 2306 (fail2ban-server) Tasks: 7 (limit: 4915) CGroup: /system.slice/fail2ban.service └─2306 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Jul 25 18:35:00 server1 systemd[1]: Starting Fail2Ban Service... Jul 25 18:35:01 server1 systemd[1]: Started Fail2Ban Service. Jul 25 18:35:11 server1 fail2ban-server[2306]: Found no accessible config files for 'filter.d/pureftpd' under /etc/fail2ban Jul 25 18:35:11 server1 fail2ban-server[2306]: Unable to read the filter 'pureftpd' Jul 25 18:35:11 server1 fail2ban-server[2306]: Errors in jail 'pureftpd'. Skipping... Jul 25 18:35:20 server1 fail2ban-server[2306]: Server ready my jail..local is: Code: [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/syslog maxretry = 3 # # Mail servers # [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 # DNS Servers # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] # #enabled = false #port = domain,953 #protocol = udp #filter = named-refused #logpath = /var/log/named/security.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log /etc/fail2ban/filter.d/pure-ftpd.conf: Code: # Fail2Ban filter for pureftp # # Disable hostname based logging by: # # Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve' # # [INCLUDES] before = common.conf [Definition] _daemon = pure-ftpd # Error message specified in multiple languages __errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗) failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd # Author: Cyril Jaquier # Modified: Yaroslav Halchenko for pure-ftpd # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal # UTF-8 editing and mechanism thanks to Johannes Weberhofer # # Only logs to syslog though facility can be changed configuration file/command line # # To get messages in the right encoding: # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages
Change: Code: [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/syslog maxretry = 3 to Code: [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3
