I tested the fail2ban setup that is described in the perfect setup guide for debian 6 on my test server here and it blocked the pure-ftpd-mysql login attemps correctly in my tests: http://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-dovecot-ispconfig-3-p5 Maybe you enabled debugging in pure-ftpd which changes the log style or something similar?
I wish I had seen that link earlier . Thanks for pointing me in the right direction, Till. The cited tutorial contains the correct information regarding the log location (/var/log/syslog), which is good to see. However, when I change my fail2ban configuration to match that in the tutorial, I'm never banned in my tests. I have not changed the pure-ftpd configuration or logging options, for what that's worth. I tried passing the sample log line and regex from the tutorial to fail2ban-regex, and a match is found, so I'm not sure why I'm never banned. I have made sure that my IP address is not white-listed in the fail2ban configuration. With fail2ban's loglevel = 3, nothing is logged when I repeatedly fail authentication. The maxretry threshold is set to 3, and I've tried dozens of times -- still nothing. If I set fail2ban's loglevel = 4, there is simply too much output for me to sort-out the log entries. Is this a question for the fail2ban mailing list? Unfortunately, I've introduced another issue while attempting to troubleshoot this one. I forced a log rotation for all logs when I meant to force a rotation only for /var/log/auth.log. (I wanted to force a rotation because this file was some 400MB in size, and parsing it with fail2ban-regex was taking too long.) Now, nothing is being written to /var/log/auth.log. If I tail the file, and for example, log-in via SSH, nothing is written to the log. After a day or so, the log is still empty. Why might rotating the log cause this behavior? The files look like this: Code: -rw-r----- 1 syslog adm 0 Jan 4 09:49 auth.log -rw-r----- 1 syslog adm 376M Jan 5 08:32 auth.log.1 EDIT: Now that I look at these dates, I realize that the auth.log.1 file is the one being modified, not auth.log. I should add that auth.log was never being rotated (which is why it was 376MB in size), so I created the file /etc/logrotate.d/auth and populated it with the following contents: Code: /var/log/auth.log { weekly rotate 12 } I forced the log rotation after creating this file, if I recall correctly. The relevant entry in /etc/syslog.conf looks correct: Code: auth,authpriv.* -/var/log/auth.log Any idea why this would cause the .1 log file to become the primary log? Is there a simple way to fix this?
Okay, all is well, finally. When I removed the file I had created at /etc/logrotate.d/auth, the system began logging to /var/log/auth.log again. Even though the pure-ftpd-mysql jail in fail2ban was not monitoring this file (it was monitoring /var/log/syslog), the fact that /var/log/auth.log was empty seemed to keep fail2ban from banning via the pure-ftpd-mysql jail. This is strange, given that fail2ban continued banning for other jails, such as postfix. I don't know why /var/log/auth.log is never rotated on this system, because I have other systems that are nearly identical on which that log is rotated every three days. Once I sort that, I'll be a happy camper!
Thanks a lot--that missing \ in ])?: (.+?@<HOST>) sure caused a lot of trouble, including having Hetzner take my server offline for 6 hours because of the pure-ftpd attacks that weren't being blocked.
