On Thu, 21 Dec 2006 11:59:38 -0500 Yaroslav Halchenko <[EMAIL PROTECTED]> wrote:
> You can also read my blurb below - ie how I came to the fact that the > fact that upstream started to ship vsftpd section (versions 0.6.2 and > 0.7.1) which were different from my previously Debian shipped, > and it slipped through my hands. > > ok - fix is needed. > > Could you please verify that next version works ok for you: > > http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.7.5-3~pre1_all.deb Hi again Yes, it works! But it needed changing my jail.local also; that solved the problem. Debian etch version didn't work even changing jail.local. Keep reading. > > > > 2006-12-18 10:19:20,153 fail2ban.filter : INFO Added logfile = > > /var/log/auth.log > > 2006-12-18 10:19:20,154 fail2ban.filter : INFO Set maxRetry = 3 > > 2006-12-18 10:19:20,156 fail2ban.filter : INFO Set findtime = 600 > > 2006-12-18 10:19:20,157 fail2ban.actions: INFO Set banTime = 24600 > > 2006-12-18 10:19:20,159 fail2ban.filter : INFO Set failregex = vsftpd: > > \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*) > > 2006-12-18 10:19:20,161 fail2ban.filter : INFO Set ignoreregex = > > > > 3. log lines which signaled failed attempt to login in vsftp > > > Thu Dec 21 07:10:59 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client > > "60.18.168.138" > > Thu Dec 21 07:11:00 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client > > "60.18.168.138" > > Thu Dec 21 07:11:01 2006 [pid 22054] [tsinternetusers] FAIL LOGIN: Client > > "60.18.168.138" (x 100) > > > Thu Dec 21 06:02:02 2006 [pid 22054] [Administrator] FAIL LOGIN: Client > > "60.18.168.138" > > Thu Dec 21 06:02:04 2006 [pid 22054] [Administrator] FAIL LOGIN: Client > > "60.18.168.138" > > Thu Dec 21 06:02:05 2006 [pid 22054] [Administrator] FAIL LOGIN: Client > > "60.18.168.138" (x 100) > > As you can see vsftpd filter looks for lines of format > vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S*) > whenever yours (which came from auth.log ie syslog or from some other > custom file?) are quite different and don't bear any vsftp sign (besides > pid # which probably belongs to vsftpd) They come from /var/log/vsftpd.log, where they're mixed with successful logins. Yes, the pid # is a vsftpd one. This is quite strange... I also thought those login attempts should be in auth.log, and that vsftpd.log should contain only succesful logins. Well, that did the trick: using /var/log/vsftpd log in my jail.conf instead of /var/log/auth.log. I don't know if it's been my mistake, but I don't rememeber changing that in fail2ban 0.6, and it was working. ¿? > > Surprisingly enough none of filters shipped with fail2ban was crufted > for such log line. > > The question now is how far you diverged from stock configuration in > your vsftpd setup. I've installed vsftpd on my own box (running > unstble with vsftp 2.0.5-2). Well, not too far... Fail2ban has been working fine till 0.7 version with a custom vsftpd configuration. Vsftpd debian packages are compiled without PAM support, so I compile the author's package (nothing special, besides the PAM change). > > > > I assume that you use stock config files (besides that custom jail.local > > > with enabled vsftpd section) > > Yes, that's right > > > -- > .-. > =------------------------------ /v\ ----------------------------= > Keep in touch // \\ (yoh@|www.)onerussian.com > Yaroslav Halchenko /( )\ ICQ#: 60653192 > Linux User ^^-^^ [175555] > > ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com

