vsftpd on Fail2ban utterly useless

Fail2ban for vsftpd is a bit of a dead loss. I have it configured along with a few other jails. All the jails seem to work OK except vsftpd. It shows in the log that it's started, but look what I'm getting in my logs and it's EVERY day all different IP addresses. I keep blocking them on the Firewall, but this is IRRITATING and is sapping my bandwidth : -

check pass; user unknown: 4803 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=backup rhost=112.220.98.98 : 558 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrateur rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrateur rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=besadmin rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=information rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=internet rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=remote rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=sales rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=sql_tech rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=student rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=supermarket rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=system rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=user1 rhost=112.220.98.98 : 279 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web rhost=112.220.98.98 : 60 Time(s)

and not a single peep from fail2ban!

It seem that it's the latest version because I had a previous version on a server I shut down a few weeks ago and on that it worked OK

Any ideas anyone?

 

Can you post your csftpd-related fail2ban configuration?

Which distribution do you use?

 

CentOS 5.5/6.

[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, [email protected], sender=fail2ban]
logpath = /var/log/secure.log
maxretry = 3
bantime = -1


# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

 

What do you see in /var/log/secure.log when someone tries to log in without success?

 

May 1 22:21:43 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:43 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:47 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:47 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:47 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:50 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:50 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:50 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:55 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:55 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:55 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:21:59 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:21:59 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:21:59 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:22:03 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 1 22:22:03 CentOS55 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=112.220.98.98
May 1 22:22:03 CentOS55 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
May 1 22:22:08 CentOS55 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown

 

Can you try this regex instead:

Code:

failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>$

 

bash: syntax error near unexpected token `('