On Thu, 21 Dec 2006 22:09:05 -0500
Yaroslav Halchenko <[EMAIL PROTECTED]> wrote:

> > Hi again
> > Yes, it works! But it needed changing my jail.local also; that solved the 
> > problem. Debian etch version didn't 
> > work even changing jail.local. Keep reading.
> etch version doesn't have right failregex so you would need to override
> it in filters.d/vsftpd.local
> taking it from sid version

Don't know, your fail2ban_0.7.5-3~pre1_all works ok, I guess you've done that 
change; I'm sure I didn't do it in
etch version.

> 
> > They come from /var/log/vsftpd.log
> right - that is what I placed in jail.conf: /var/log/vsftpd.log so you
> don't have to override it in jail.local -- you just have to enable it
> (ie enabled=true)

In etch version you have to override it or change it; jail.conf says "auth.log".

> 
> >, where they're mixed with successful logins. Yes, the pid # is a vsftpd one.
> > This is quite strange... I also thought those login attempts should be in 
> > auth.log, and that vsftpd.log should contain
> > only succesful logins. Well, that did the trick: using /var/log/vsftpd log 
> > in my jail.conf instead of /var/log/auth.log.
> > I don't know if it's been my mistake, but I don't rememeber changing that 
> > in fail2ban 0.6, and it was working. ¿?
> 0.6 (up to the very last one) had my rules which were using
> /var/log/vsftpd.log not auth.log.

Yes, I checked my old (0.6) fail2ban.conf and they pointed to vsftpd.log.

> 
> > Well, not too far... Fail2ban has been working fine till 0.7 version with a 
> > custom vsftpd configuration. Vsftpd debian
> > packages are compiled without PAM support, so I compile the author's 
> > package (nothing special, besides the PAM change).
> that explains missing lines in auth.log using original failregex shipped
> upstream ;-)
> 
> So do you have vsftpd with PAM support? then you must have failed login 
> entries in
> auth.log, right? how do they look?

I've been digging my recent and old auth.logs and the only thing they have is 
something like

        Dec  9 20:39:41 localhost pam_userdb[20270]: user 'xxxx' granted acces

but no vsftpd failed logins at all.

> 
> Now I think it would be better to ship fail2ban with 2 jails - vsftpd
> (uses /var/log/vsftpd.log and corresponding failregex) and
> vsftpd-pam (uses upstream failregex and /var/log/auth.log). Could you
> please provide me with entries produced in auth.log with pam enabled
> vsftpd?

There are no such lines, I'm afraid.

> -- 
>                                   .-.
> =------------------------------   /v\  ----------------------------=
> Keep in touch                    // \\     (yoh@|www.)onerussian.com
> Yaroslav Halchenko              /(   )\               ICQ#: 60653192
>                    Linux User    ^^-^^    [175555]
> 
> 


______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com


Reply via email to