This is my config that wortks under Debian Lenny and ISConfig 3: /etc/fail2ban/jail.conf Code: # # FTP servers # [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/messages maxretry = 3 /etc/fail2ban/filter.d/pure-ftpd.conf This is correct failregex for Debian Lenny: Code: failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$ Restart your fail2ban and now fail2ban and pure-ftpd works as it should. You can always tweak maxretry parameter to suit your needs.
I stumbled upon this for a "Unable to find a corresponding IP address" issue with fail2ban. I noticed that there's a typo at the end of your failregex ( although yours seem to work fine ) so for completeness here's the latest official one Code: failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
Sorry to bringup this old post, but could someone here please post his "jail.conf" and "jail.local ? I've deleted my version, and can not get fail2ban to ban anything anymore :-(
This is what I have on my ISPConfig 2 server: jail.conf: Code: # Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # Author: Yaroslav O. Halchenko <[email protected]> # # $Revision: 281 $ # # The DEFAULT allows a global definition of the options. They can be override # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] # Following actions can be chosen as an alternatives to the above action. # To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines # into jail.local # Default action to take: ban & send an e-mail with whois report # to the destemail. # action = iptables[name=%(__name__)s, port=%(port)s] # mail-whois[name=%(__name__)s, dest=%(destemail)s] # Default action to take: ban & send an e-mail with whois report # and relevant log lines to the destemail. # action = iptables[name=%(__name__)s, port=%(port)s] # mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s] # Next jails corresponds to the standard configuration in Fail2ban 0.6 # which was shipped in Debian. Please enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 # # HTTP servers # [apache] enabled = false port = http filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 6 [apache-noscript] enabled = false port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 # # FTP servers # [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 6 [proftpd] enabled = false port = ftp filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 6 [wuftpd] enabled = false port = ftp filter = wuftpd logpath = /var/log/auth.log maxretry = 6 # # Mail servers # [postfix] enabled = false port = smtp filter = postfix logpath = /var/log/postfix.log [couriersmtp] enabled = false port = smtp filter = couriersmtp logpath = /var/log/mail.log [sasl] enabled = false port = smtp filter = sasl logpath = /var/log/mail.log jail.local: Code: [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = [email protected] # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 5 [apache-noscript] enabled = false port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 5 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> maxretry = 5 [wuftpd] enabled = false port = ftp filter = wuftpd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = false port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 [courierpop3] enabled = false port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = false port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = false port = smtp filter = sasl failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed logpath = /var/log/mail.log maxretry = 5
@edge, I see that falko gave you the config files already. Beware that the configuration for PureFTPd is not in these files. You can add the configuration for PureFTPd as mentioned earlier in this thread.
If you want to start from scratch again with fail2ban, maybe the easiest way is to do: apt-get remove --purge fail2ban (this removes fail2ban including the fail2ban config files) apt-get install fail2ban (to install it again) After that edit the config files as mentioned above. If you use ISPConfig3 (as i think) also have a look here:
Hi everyones, I tryed to apply this hint to my Fedora 13 (64) Perfect Server but: If I add the : Code: [pure-ftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd logpath = /var/log/messages maxretry = 6 in /etc/fail2ban/jail.conf When I restart fail2ban [service fail2ban restart] It failed, if I remove the added rules it works fine. Can someone helps to add Fail2Ban on pure-ftpd on Fedora, I getting borred to have huge log of login try with unknown users. Thanks
That's the problem, i don't have any fail2ban.log file in /var/log I create the file myself, and try again to add the lines in fail.conf Still having an error (this is I think normal) but nothing is written in the log file ...
Here it is: Code: [root@skynet ~]# ls -la /etc/fail2ban/filter.d/ total 116 drwxr-xr-x 2 root root 4096 30 juil. 17:41 . drwxr-xr-x 4 root root 4096 30 juil. 17:41 .. -rw-r--r-- 1 root root 711 8 févr. 2009 apache-auth.conf -rw-r--r-- 1 root root 2396 5 mars 2008 apache-badbots.conf -rw-r--r-- 1 root root 628 13 oct. 2008 apache-nohome.conf -rw-r--r-- 1 root root 763 8 févr. 2009 apache-noscript.conf -rw-r--r-- 1 root root 444 5 mars 2008 apache-overflows.conf -rw-r--r-- 1 root root 1039 8 févr. 2009 common.conf -rw-r--r-- 1 root root 616 8 févr. 2009 courierlogin.conf -rw-r--r-- 1 root root 591 8 févr. 2009 couriersmtp.conf -rw-r--r-- 1 root root 1012 8 févr. 2009 cyrus-imap.conf -rw-r--r-- 1 root root 613 8 févr. 2009 exim.conf -rw-r--r-- 1 root root 447 22 mai 2008 gssftpd.conf -rw-r--r-- 1 root root 397 30 août 2009 lighttpd-fastcgi.conf -rw-r--r-- 1 root root 1013 9 févr. 2009 named-refused.conf -rw-r--r-- 1 root root 870 22 mai 2008 pam-generic.conf -rw-r--r-- 1 root root 867 30 août 2009 php-url-fopen.conf -rw-r--r-- 1 root root 591 8 févr. 2009 postfix.conf -rw-r--r-- 1 root root 878 8 févr. 2009 proftpd.conf -rw-r--r-- 1 root root 886 8 nov. 10:19 pure-ftpd.conf -rw-r--r-- 1 root root 606 8 févr. 2009 qmail.conf -rw-r--r-- 1 root root 679 8 févr. 2009 sasl.conf -rw-r--r-- 1 root root 581 3 févr. 2009 sieve.conf -rw-r--r-- 1 root root 1648 8 févr. 2009 sshd.conf -rw-r--r-- 1 root root 627 8 févr. 2009 sshd-ddos.conf -rw-r--r-- 1 root root 700 8 févr. 2009 vsftpd.conf -rw-r--r-- 1 root root 827 8 févr. 2009 webmin-auth.conf -rw-r--r-- 1 root root 437 22 mai 2008 wuftpd.conf -rw-r--r-- 1 root root 848 8 févr. 2009 xinetd-fail.conf [root@skynet ~]# Contents of pure-ftp.conf Code: [root@skynet ~]# cat /etc/fail2ban/filter.d/pure-ftpd.conf # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav Halchenko for pure-ftpd # # $Revision: 3$ # [Definition] # Error message specified in multiple languages __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur) # # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = [root@skynet ~]# cat /etc/fail2ban/filter.d/pure-ftpd.conf # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav Halchenko for pure-ftpd # # $Revision: 3$ # [Definition] # Error message specified in multiple languages __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur) # # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = [root@skynet ~]#
Thanks to the French Fedora web site I've found the error, "action" was missing in the jail.conf Code: [pure-ftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd action = iptables[name=PUREFTP, port=ftp, protocol=tcp] sendmail-whois[name=PUREFTP, [email protected]] logpath = /var/log/messages maxretry = 6 Now it works perfect, no more errors on start of Fail2ban