On Thu, 21 Dec 2006 09:14:08 -0500
Yaroslav Halchenko <[EMAIL PROTECTED]> wrote:
> Hi Antonio,
>
> Send me
> 1. output of commands
> fail2ban-client status
> fail2ban-client status vsftpd
Hi Yaroslav
1) [EMAIL PROTECTED]:/# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: vsftpd, ssh
2) [EMAIL PROTECTED]:/# fail2ban-client status vsftpd
Status for the jail: vsftpd
|- filter
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
`- Total banned: 0
>
> 2. fail2ban.log
>
[EMAIL PROTECTED]:/# cat /var/log/fail2ban.log
2006-12-17 07:19:27,600 fail2ban.jail : INFO Using poller
2006-12-17 07:19:27,601 fail2ban.filter : INFO Created Filter
2006-12-17 07:19:27,601 fail2ban.filter : INFO Created FilterPoll
2006-12-17 07:19:27,602 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2006-12-17 07:19:27,603 fail2ban.filter : INFO Set maxRetry = 3
2006-12-17 07:19:27,605 fail2ban.filter : INFO Set maxTime = 600
2006-12-17 07:19:27,606 fail2ban.actions: INFO Set banTime = 24600
2006-12-17 07:19:27,608 fail2ban.filter : INFO Set failregex = vsftpd:
\(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
2006-12-17 07:19:27,610 fail2ban.actions.action: INFO Set actionBan =
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-17 07:19:27,611 fail2ban.actions.action: INFO Set actionStop =
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-17 07:19:27,613 fail2ban.actions.action: INFO Set actionStart =
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-17 07:19:27,614 fail2ban.actions.action: INFO Set actionUnban =
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-17 07:19:27,615 fail2ban.actions.action: INFO Set actionCheck =
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-17 07:19:27,619 fail2ban.jail : INFO Using poller
2006-12-17 07:19:27,620 fail2ban.filter : INFO Created Filter
2006-12-17 07:19:27,620 fail2ban.filter : INFO Created FilterPoll
2006-12-17 07:19:27,621 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2006-12-17 07:19:27,622 fail2ban.filter : INFO Set maxRetry = 3
2006-12-17 07:19:27,624 fail2ban.filter : INFO Set maxTime = 600
2006-12-17 07:19:27,625 fail2ban.actions: INFO Set banTime = 24600
2006-12-17 07:19:27,627 fail2ban.filter : INFO Set failregex =
(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid)
user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM)
(?:::f{4,6}:)?(?P<host>\S*)
2006-12-17 07:19:27,629 fail2ban.actions.action: INFO Set actionBan =
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-17 07:19:27,630 fail2ban.actions.action: INFO Set actionStop =
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-17 07:19:27,632 fail2ban.actions.action: INFO Set actionStart =
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-17 07:19:27,633 fail2ban.actions.action: INFO Set actionUnban =
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-17 07:19:27,634 fail2ban.actions.action: INFO Set actionCheck =
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-18 10:18:17,052 fail2ban.server : INFO Exiting Fail2ban
2006-12-18 10:19:20,063 fail2ban.jail : INFO Using poller
2006-12-18 10:19:20,151 fail2ban.filter : INFO Created Filter
2006-12-18 10:19:20,152 fail2ban.filter : INFO Created FilterPoll
2006-12-18 10:19:20,153 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2006-12-18 10:19:20,154 fail2ban.filter : INFO Set maxRetry = 3
2006-12-18 10:19:20,156 fail2ban.filter : INFO Set findtime = 600
2006-12-18 10:19:20,157 fail2ban.actions: INFO Set banTime = 24600
2006-12-18 10:19:20,159 fail2ban.filter : INFO Set failregex = vsftpd:
\(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
2006-12-18 10:19:20,161 fail2ban.filter : INFO Set ignoreregex =
2006-12-18 10:19:20,163 fail2ban.actions.action: INFO Set actionBan =
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-18 10:19:20,164 fail2ban.actions.action: INFO Set actionStop =
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-18 10:19:20,166 fail2ban.actions.action: INFO Set actionStart =
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-18 10:19:20,167 fail2ban.actions.action: INFO Set actionUnban =
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-18 10:19:20,169 fail2ban.actions.action: INFO Set actionCheck =
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-18 10:19:20,173 fail2ban.jail : INFO Using poller
2006-12-18 10:19:20,173 fail2ban.filter : INFO Created Filter
2006-12-18 10:19:20,173 fail2ban.filter : INFO Created FilterPoll
2006-12-18 10:19:20,175 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2006-12-18 10:19:20,176 fail2ban.filter : INFO Set maxRetry = 3
2006-12-18 10:19:20,178 fail2ban.filter : INFO Set findtime = 600
2006-12-18 10:19:20,179 fail2ban.actions: INFO Set banTime = 24600
2006-12-18 10:19:20,183 fail2ban.filter : INFO Set failregex =
(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid)
user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM)
(?:::f{4,6}:)?(?P<host>\S+)
2006-12-18 10:19:20,184 fail2ban.filter : INFO Set ignoreregex =
2006-12-18 10:19:20,186 fail2ban.actions.action: INFO Set actionBan =
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-18 10:19:20,188 fail2ban.actions.action: INFO Set actionStop =
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-18 10:19:20,190 fail2ban.actions.action: INFO Set actionStart =
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-18 10:19:20,191 fail2ban.actions.action: INFO Set actionUnban =
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-18 10:19:20,192 fail2ban.actions.action: INFO Set actionCheck =
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-19 12:53:52,805 fail2ban.jail : INFO Using poller
2006-12-19 12:53:52,915 fail2ban.filter : INFO Created Filter
2006-12-19 12:53:52,915 fail2ban.filter : INFO Created FilterPoll
2006-12-19 12:53:52,916 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2006-12-19 12:53:52,919 fail2ban.filter : INFO Set maxRetry = 3
2006-12-19 12:53:52,922 fail2ban.filter : INFO Set findtime = 600
2006-12-19 12:53:52,923 fail2ban.actions: INFO Set banTime = 24600
2006-12-19 12:53:52,925 fail2ban.filter : INFO Set failregex = vsftpd:
\(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
2006-12-19 12:53:52,929 fail2ban.filter : INFO Set ignoreregex =
2006-12-19 12:53:52,931 fail2ban.actions.action: INFO Set actionBan =
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-19 12:53:52,933 fail2ban.actions.action: INFO Set actionStop =
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-19 12:53:52,934 fail2ban.actions.action: INFO Set actionStart =
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-19 12:53:52,981 fail2ban.actions.action: INFO Set actionUnban =
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-19 12:53:52,982 fail2ban.actions.action: INFO Set actionCheck =
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-19 12:53:53,003 fail2ban.jail : INFO Using poller
2006-12-19 12:53:53,004 fail2ban.filter : INFO Created Filter
2006-12-19 12:53:53,004 fail2ban.filter : INFO Created FilterPoll
2006-12-19 12:53:53,005 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2006-12-19 12:53:53,006 fail2ban.filter : INFO Set maxRetry = 3
2006-12-19 12:53:53,008 fail2ban.filter : INFO Set findtime = 600
2006-12-19 12:53:53,033 fail2ban.actions: INFO Set banTime = 24600
2006-12-19 12:53:53,037 fail2ban.filter : INFO Set failregex =
(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid)
user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM)
(?:::f{4,6}:)?(?P<host>\S+)
2006-12-19 12:53:53,038 fail2ban.filter : INFO Set ignoreregex =
2006-12-19 12:53:53,040 fail2ban.actions.action: INFO Set actionBan =
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-19 12:53:53,110 fail2ban.actions.action: INFO Set actionStop =
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-19 12:53:53,111 fail2ban.actions.action: INFO Set actionStart =
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-19 12:53:53,113 fail2ban.actions.action: INFO Set actionUnban =
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-19 12:53:53,114 fail2ban.actions.action: INFO Set actionCheck =
iptables -L INPUT | grep -q fail2ban-<name>
> 3. log lines which signaled failed attempt to login in vsftp
>
Thu Dec 21 07:10:59 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client
"60.18.168.138"
Thu Dec 21 07:11:00 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client
"60.18.168.138"
Thu Dec 21 07:11:01 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client
"60.18.168.138" (x 100)
Thu Dec 21 06:02:02 2006 [pid 22054] [Administrator] FAIL LOGIN: Client
"60.18.168.138"
Thu Dec 21 06:02:04 2006 [pid 22054] [Administrator] FAIL LOGIN: Client
"60.18.168.138"
Thu Dec 21 06:02:05 2006 [pid 22054] [Administrator] FAIL LOGIN: Client
"60.18.168.138" (x 100)
> I assume that you use stock config files (besides that custom jail.local
> with enabled vsftpd section)
>
Yes, that's right
> --
> .-.
> =------------------------------ /v\ ----------------------------=
> Keep in touch // \\ (yoh@|www.)onerussian.com
> Yaroslav Halchenko /( )\ ICQ#: 60653192
> Linux User ^^-^^ [175555]
>
>
Tell me if you need me to increase log verbosity... all I see is INFO
Thanks
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]