On Thu, 21 Dec 2006 22:09:05 -0500
Yaroslav Halchenko <[EMAIL PROTECTED]> wrote:
> > Hi again
> > Yes, it works! But it needed changing my jail.local also; that solved the
> > problem. Debian etch version didn't
> > work even changing jail.local. Keep reading.
> etch version doesn't have right failregex so you would need to override
> it in filters.d/vsftpd.local
> taking it from sid version
Don't know, your fail2ban_0.7.5-3~pre1_all works ok, I guess you've done that
change; I'm sure I didn't do it in
etch version.
>
> > They come from /var/log/vsftpd.log
> right - that is what I placed in jail.conf: /var/log/vsftpd.log so you
> don't have to override it in jail.local -- you just have to enable it
> (ie enabled=true)
In etch version you have to override it or change it; jail.conf says "auth.log".
>
> >, where they're mixed with successful logins. Yes, the pid # is a vsftpd one.
> > This is quite strange... I also thought those login attempts should be in
> > auth.log, and that vsftpd.log should contain
> > only succesful logins. Well, that did the trick: using /var/log/vsftpd log
> > in my jail.conf instead of /var/log/auth.log.
> > I don't know if it's been my mistake, but I don't rememeber changing that
> > in fail2ban 0.6, and it was working. ¿?
> 0.6 (up to the very last one) had my rules which were using
> /var/log/vsftpd.log not auth.log.
Yes, I checked my old (0.6) fail2ban.conf and they pointed to vsftpd.log.
>
> > Well, not too far... Fail2ban has been working fine till 0.7 version with a
> > custom vsftpd configuration. Vsftpd debian
> > packages are compiled without PAM support, so I compile the author's
> > package (nothing special, besides the PAM change).
> that explains missing lines in auth.log using original failregex shipped
> upstream ;-)
>
> So do you have vsftpd with PAM support? then you must have failed login
> entries in
> auth.log, right? how do they look?
I've been digging my recent and old auth.logs and the only thing they have is
something like
Dec 9 20:39:41 localhost pam_userdb[20270]: user 'xxxx' granted acces
but no vsftpd failed logins at all.
>
> Now I think it would be better to ship fail2ban with 2 jails - vsftpd
> (uses /var/log/vsftpd.log and corresponding failregex) and
> vsftpd-pam (uses upstream failregex and /var/log/auth.log). Could you
> please provide me with entries produced in auth.log with pam enabled
> vsftpd?
There are no such lines, I'm afraid.
> --
> .-.
> =------------------------------ /v\ ----------------------------=
> Keep in touch // \\ (yoh@|www.)onerussian.com
> Yaroslav Halchenko /( )\ ICQ#: 60653192
> Linux User ^^-^^ [175555]
>
>
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com