On Thu, 21 Dec 2006 11:59:38 -0500
Yaroslav Halchenko <[EMAIL PROTECTED]> wrote:

> You can also read my blurb below - ie how I came to the fact that the
> fact that upstream started to ship vsftpd section (versions 0.6.2 and
> 0.7.1) which were different from my previously Debian shipped,
> and it slipped through my hands.
> 
> ok - fix is needed.
> 
> Could you please verify that next version works ok for you:
> 
> http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.7.5-3~pre1_all.deb

Hi again
Yes, it works! But it needed changing my jail.local also; that solved the 
problem. Debian etch version didn't 
work even changing jail.local. Keep reading.

> 
> 
> > 2006-12-18 10:19:20,153 fail2ban.filter : INFO   Added logfile = 
> > /var/log/auth.log
> > 2006-12-18 10:19:20,154 fail2ban.filter : INFO   Set maxRetry = 3
> > 2006-12-18 10:19:20,156 fail2ban.filter : INFO   Set findtime = 600
> > 2006-12-18 10:19:20,157 fail2ban.actions: INFO   Set banTime = 24600
> > 2006-12-18 10:19:20,159 fail2ban.filter : INFO   Set failregex = vsftpd: 
> > \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
> > 2006-12-18 10:19:20,161 fail2ban.filter : INFO   Set ignoreregex =
> 
> > > 3. log lines which signaled failed attempt to login in vsftp
> 
> > Thu Dec 21 07:10:59 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
> > "60.18.168.138"
> > Thu Dec 21 07:11:00 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
> > "60.18.168.138"
> > Thu Dec 21 07:11:01 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client 
> > "60.18.168.138" (x 100)
> 
> > Thu Dec 21 06:02:02 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
> > "60.18.168.138"
> > Thu Dec 21 06:02:04 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
> > "60.18.168.138"
> > Thu Dec 21 06:02:05 2006 [pid 22054] [Administrator] FAIL LOGIN: Client 
> > "60.18.168.138" (x 100)
> 
> As you can see vsftpd filter looks for lines of format
>  vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*)
> whenever yours (which came from auth.log ie syslog or from some other
> custom file?) are quite different and don't bear any vsftp sign (besides
> pid # which probably belongs to vsftpd)

They come from /var/log/vsftpd.log, where they're mixed with successful logins. 
Yes, the pid # is a vsftpd one.
This is quite strange... I also thought those login attempts should be in 
auth.log, and that vsftpd.log should contain
only succesful logins. Well, that did the trick: using /var/log/vsftpd log in 
my jail.conf instead of /var/log/auth.log.
I don't know if it's been my mistake, but I don't rememeber changing that in 
fail2ban 0.6, and it was working. ¿?

> 
> Surprisingly enough none of filters shipped with fail2ban was crufted
> for such log line.
> 
> The question now is how far you diverged from stock configuration in
> your vsftpd setup. I've installed vsftpd on my own box (running
> unstble with vsftp 2.0.5-2).

Well, not too far... Fail2ban has been working fine till 0.7 version with a 
custom vsftpd configuration. Vsftpd debian
packages are compiled without PAM support, so I compile the author's package 
(nothing special, besides the PAM change).

> 
> > > I assume that you use stock config files (besides that custom jail.local
> > > with enabled vsftpd section)
> > Yes, that's right
> 
> 
> -- 
>                                   .-.
> =------------------------------   /v\  ----------------------------=
> Keep in touch                    // \\     (yoh@|www.)onerussian.com
> Yaroslav Halchenko              /(   )\               ICQ#: 60653192
>                    Linux User    ^^-^^    [175555]
> 
> 


______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com


Reply via email to