On Thu, 21 Dec 2006 09:14:08 -0500
Yaroslav Halchenko <[EMAIL PROTECTED]> wrote:

> Hi Antonio,
> 
> Send me
> 1. output of commands
> fail2ban-client status
> fail2ban-client status vsftpd

Hi Yaroslav

1) [EMAIL PROTECTED]:/# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:           vsftpd, ssh

2) [EMAIL PROTECTED]:/# fail2ban-client status vsftpd
Status for the jail: vsftpd
|- filter
|  |- Currently failed:         0
|  `- Total failed:             0
`- action
   |- Currently banned:         0
   `- Total banned:             0

> 
> 2. fail2ban.log
> 

[EMAIL PROTECTED]:/# cat /var/log/fail2ban.log
2006-12-17 07:19:27,600 fail2ban.jail   : INFO   Using poller
2006-12-17 07:19:27,601 fail2ban.filter : INFO   Created Filter
2006-12-17 07:19:27,601 fail2ban.filter : INFO   Created FilterPoll
2006-12-17 07:19:27,602 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2006-12-17 07:19:27,603 fail2ban.filter : INFO   Set maxRetry = 3
2006-12-17 07:19:27,605 fail2ban.filter : INFO   Set maxTime = 600
2006-12-17 07:19:27,606 fail2ban.actions: INFO   Set banTime = 24600
2006-12-17 07:19:27,608 fail2ban.filter : INFO   Set failregex = vsftpd: 
\(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
2006-12-17 07:19:27,610 fail2ban.actions.action: INFO   Set actionBan = 
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-17 07:19:27,611 fail2ban.actions.action: INFO   Set actionStop = 
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-17 07:19:27,613 fail2ban.actions.action: INFO   Set actionStart = 
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-17 07:19:27,614 fail2ban.actions.action: INFO   Set actionUnban = 
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-17 07:19:27,615 fail2ban.actions.action: INFO   Set actionCheck = 
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-17 07:19:27,619 fail2ban.jail   : INFO   Using poller
2006-12-17 07:19:27,620 fail2ban.filter : INFO   Created Filter
2006-12-17 07:19:27,620 fail2ban.filter : INFO   Created FilterPoll
2006-12-17 07:19:27,621 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2006-12-17 07:19:27,622 fail2ban.filter : INFO   Set maxRetry = 3
2006-12-17 07:19:27,624 fail2ban.filter : INFO   Set maxTime = 600
2006-12-17 07:19:27,625 fail2ban.actions: INFO   Set banTime = 24600
2006-12-17 07:19:27,627 fail2ban.filter : INFO   Set failregex = 
(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) 
user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) 
(?:::f{4,6}:)?(?P<host>\S*)
2006-12-17 07:19:27,629 fail2ban.actions.action: INFO   Set actionBan = 
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-17 07:19:27,630 fail2ban.actions.action: INFO   Set actionStop = 
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-17 07:19:27,632 fail2ban.actions.action: INFO   Set actionStart = 
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-17 07:19:27,633 fail2ban.actions.action: INFO   Set actionUnban = 
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-17 07:19:27,634 fail2ban.actions.action: INFO   Set actionCheck = 
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-18 10:18:17,052 fail2ban.server : INFO   Exiting Fail2ban
2006-12-18 10:19:20,063 fail2ban.jail   : INFO   Using poller
2006-12-18 10:19:20,151 fail2ban.filter : INFO   Created Filter
2006-12-18 10:19:20,152 fail2ban.filter : INFO   Created FilterPoll
2006-12-18 10:19:20,153 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2006-12-18 10:19:20,154 fail2ban.filter : INFO   Set maxRetry = 3
2006-12-18 10:19:20,156 fail2ban.filter : INFO   Set findtime = 600
2006-12-18 10:19:20,157 fail2ban.actions: INFO   Set banTime = 24600
2006-12-18 10:19:20,159 fail2ban.filter : INFO   Set failregex = vsftpd: 
\(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
2006-12-18 10:19:20,161 fail2ban.filter : INFO   Set ignoreregex =
2006-12-18 10:19:20,163 fail2ban.actions.action: INFO   Set actionBan = 
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-18 10:19:20,164 fail2ban.actions.action: INFO   Set actionStop = 
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-18 10:19:20,166 fail2ban.actions.action: INFO   Set actionStart = 
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-18 10:19:20,167 fail2ban.actions.action: INFO   Set actionUnban = 
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-18 10:19:20,169 fail2ban.actions.action: INFO   Set actionCheck = 
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-18 10:19:20,173 fail2ban.jail   : INFO   Using poller
2006-12-18 10:19:20,173 fail2ban.filter : INFO   Created Filter
2006-12-18 10:19:20,173 fail2ban.filter : INFO   Created FilterPoll
2006-12-18 10:19:20,175 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2006-12-18 10:19:20,176 fail2ban.filter : INFO   Set maxRetry = 3
2006-12-18 10:19:20,178 fail2ban.filter : INFO   Set findtime = 600
2006-12-18 10:19:20,179 fail2ban.actions: INFO   Set banTime = 24600
2006-12-18 10:19:20,183 fail2ban.filter : INFO   Set failregex = 
(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) 
user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) 
(?:::f{4,6}:)?(?P<host>\S+)
2006-12-18 10:19:20,184 fail2ban.filter : INFO   Set ignoreregex =
2006-12-18 10:19:20,186 fail2ban.actions.action: INFO   Set actionBan = 
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-18 10:19:20,188 fail2ban.actions.action: INFO   Set actionStop = 
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-18 10:19:20,190 fail2ban.actions.action: INFO   Set actionStart = 
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-18 10:19:20,191 fail2ban.actions.action: INFO   Set actionUnban = 
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-18 10:19:20,192 fail2ban.actions.action: INFO   Set actionCheck = 
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-19 12:53:52,805 fail2ban.jail   : INFO   Using poller
2006-12-19 12:53:52,915 fail2ban.filter : INFO   Created Filter
2006-12-19 12:53:52,915 fail2ban.filter : INFO   Created FilterPoll
2006-12-19 12:53:52,916 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2006-12-19 12:53:52,919 fail2ban.filter : INFO   Set maxRetry = 3
2006-12-19 12:53:52,922 fail2ban.filter : INFO   Set findtime = 600
2006-12-19 12:53:52,923 fail2ban.actions: INFO   Set banTime = 24600
2006-12-19 12:53:52,925 fail2ban.filter : INFO   Set failregex = vsftpd: 
\(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
2006-12-19 12:53:52,929 fail2ban.filter : INFO   Set ignoreregex =
2006-12-19 12:53:52,931 fail2ban.actions.action: INFO   Set actionBan = 
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-19 12:53:52,933 fail2ban.actions.action: INFO   Set actionStop = 
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-19 12:53:52,934 fail2ban.actions.action: INFO   Set actionStart = 
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-19 12:53:52,981 fail2ban.actions.action: INFO   Set actionUnban = 
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-19 12:53:52,982 fail2ban.actions.action: INFO   Set actionCheck = 
iptables -L INPUT | grep -q fail2ban-<name>
2006-12-19 12:53:53,003 fail2ban.jail   : INFO   Using poller
2006-12-19 12:53:53,004 fail2ban.filter : INFO   Created Filter
2006-12-19 12:53:53,004 fail2ban.filter : INFO   Created FilterPoll
2006-12-19 12:53:53,005 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2006-12-19 12:53:53,006 fail2ban.filter : INFO   Set maxRetry = 3
2006-12-19 12:53:53,008 fail2ban.filter : INFO   Set findtime = 600
2006-12-19 12:53:53,033 fail2ban.actions: INFO   Set banTime = 24600
2006-12-19 12:53:53,037 fail2ban.filter : INFO   Set failregex = 
(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) 
user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) 
(?:::f{4,6}:)?(?P<host>\S+)
2006-12-19 12:53:53,038 fail2ban.filter : INFO   Set ignoreregex =
2006-12-19 12:53:53,040 fail2ban.actions.action: INFO   Set actionBan = 
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2006-12-19 12:53:53,110 fail2ban.actions.action: INFO   Set actionStop = 
iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2006-12-19 12:53:53,111 fail2ban.actions.action: INFO   Set actionStart = 
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2006-12-19 12:53:53,113 fail2ban.actions.action: INFO   Set actionUnban = 
iptables -D fail2ban-<name> -s <ip> -j DROP
2006-12-19 12:53:53,114 fail2ban.actions.action: INFO   Set actionCheck = 
iptables -L INPUT | grep -q fail2ban-<name>

> 3. log lines which signaled failed attempt to login in vsftp
> 
Thu Dec 21 07:10:59 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
"60.18.168.138"
Thu Dec 21 07:11:00 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
"60.18.168.138"
Thu Dec 21 07:11:01 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
"60.18.168.138" (x 100)

Thu Dec 21 06:02:02 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
"60.18.168.138"
Thu Dec 21 06:02:04 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
"60.18.168.138"
Thu Dec 21 06:02:05 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
"60.18.168.138" (x 100)

> I assume that you use stock config files (besides that custom jail.local
> with enabled vsftpd section)
> 

Yes, that's right

> -- 
>                                   .-.
> =------------------------------   /v\  ----------------------------=
> Keep in touch                    // \\     (yoh@|www.)onerussian.com
> Yaroslav Halchenko              /(   )\               ICQ#: 60653192
>                    Linux User    ^^-^^    [175555]
> 
> 

Tell me if you need me to increase log verbosity... all I see is INFO

Thanks

                
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to