[Fail2ban-users] Bug in the existing filters - lighttpd-auth, vsftpd

Lucian Maly Sun, 02 Mar 2025 16:02:44 -0800

Hi all,

Before I file a bug report on Github, I wanted to confirm that I am not
doing something wrong:-)


I only use systemd/journal logging with *Storage=volatile* and everything
is being stored under
*/run/log/journal/abcdefghijklmnopqrstuvwxyz/system.journal*. I confirmed
that fail2ban-regex returns the same amount of lines for both
*systemd-journal* or *systemd-journal[journalflags=1]* logs, so that's not
the issue. Please note I did not change the default out-of-the-box filters:
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/vsftpd.conf
https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/lighttpd-auth.conf

See obfuscated outputs below suggesting fail2ban can see the right types of
entries in the systemd journal, but no matches:

$ *fail2ban-regex systemd-journal vsftpd --print-all-missed*
Running tests
=============
Use             jail : vsftpd
Use      datepattern : {^LN-BEG} : Default Detectors
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : _SYSTEMD_UNIT=vsftpd.service + _COMM=vsftpd
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 40 lines, 0 ignored, 0 matched, 40 missed
[processed in 0.01 sec]
|- Missed line(s):
|  2025-03-03T00:09:15.098247
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: CONNECT:
Client "120.121.122.123"
|  2025-03-03T00:09:15.098274
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: FTP response:
Client "120.121.122.123", "220 Welcome to 19.18.17.16."
|  2025-03-03T00:09:15.111829
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: FTP command:
Client "120.121.122.123", "AUTH TLS"
|  2025-03-03T00:09:15.111844
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: FTP response:
Client "120.121.122.123", "234 Proceed with negotiation."
|  2025-03-03T00:09:15.188476
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: FTP command:
Client "120.121.122.123", "USER username"
|  2025-03-03T00:09:15.188503
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: [username]
FTP response: Client "120.121.122.123", "331 Please specify the password."
|  2025-03-03T00:09:15.202958
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: [username]
FTP command: Client "120.121.122.123", "PASS <password>"
*|  2025-03-03T00:09:15.205395
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2217]: [username]
FAIL LOGIN: Client "120.121.122.123"*
|  2025-03-03T00:09:16.205614
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: [username]
FTP response: Client "120.121.122.123", "530 Login incorrect."
|  2025-03-03T00:09:16.230811
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2218]: DEBUG: Client
"120.121.122.123", "Control connection terminated without SSL shutdown."
|  2025-03-03T00:09:21.262572
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: CONNECT:
Client "120.121.122.123"
|  2025-03-03T00:09:21.262781
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: FTP response:
Client "120.121.122.123", "220 Welcome to 19.18.17.16."
|  2025-03-03T00:09:21.287802
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: FTP command:
Client "120.121.122.123", "AUTH TLS"
|  2025-03-03T00:09:21.287818
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: FTP response:
Client "120.121.122.123", "234 Proceed with negotiation."
|  2025-03-03T00:09:21.350329
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: FTP command:
Client "120.121.122.123", "USER username"
|  2025-03-03T00:09:21.350346
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: [username]
FTP response: Client "120.121.122.123", "331 Please specify the password."
|  2025-03-03T00:09:21.363968
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: [username]
FTP command: Client "120.121.122.123", "PASS <password>"
*|  2025-03-03T00:09:21.367627
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2219]: [username]
FAIL LOGIN: Client "120.121.122.123"*
|  2025-03-03T00:09:22.367840
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: [username]
FTP response: Client "120.121.122.123", "530 Login incorrect."
|  2025-03-03T00:09:22.394834
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2220]: DEBUG: Client
"120.121.122.123", "Control connection terminated without SSL shutdown."
|  2025-03-03T00:09:27.418965
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: CONNECT:
Client "120.121.122.123"
|  2025-03-03T00:09:27.419163
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: FTP response:
Client "120.121.122.123", "220 Welcome to 19.18.17.16."
|  2025-03-03T00:09:27.431663
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: FTP command:
Client "120.121.122.123", "AUTH TLS"
|  2025-03-03T00:09:27.431731
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: FTP response:
Client "120.121.122.123", "234 Proceed with negotiation."
|  2025-03-03T00:09:27.509932
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: FTP command:
Client "120.121.122.123", "USER username"
|  2025-03-03T00:09:27.510260
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: [username]
FTP response: Client "120.121.122.123", "331 Please specify the password."
|  2025-03-03T00:09:27.523521
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: [username]
FTP command: Client "120.121.122.123", "PASS <password>"
*|  2025-03-03T00:09:27.526685
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2221]: [username]
FAIL LOGIN: Client "120.121.122.123"*
|  2025-03-03T00:09:28.526902
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: [username]
FTP response: Client "120.121.122.123", "530 Login incorrect."
|  2025-03-03T00:09:28.550165
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2222]: DEBUG: Client
"120.121.122.123", "Control connection terminated without SSL shutdown."
|  2025-03-03T00:09:33.569868
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: CONNECT:
Client "120.121.122.123"
|  2025-03-03T00:09:33.569887
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: FTP response:
Client "120.121.122.123", "220 Welcome to 19.18.17.16."
|  2025-03-03T00:09:33.594235
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: FTP command:
Client "120.121.122.123", "AUTH TLS"
|  2025-03-03T00:09:33.594249
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: FTP response:
Client "120.121.122.123", "234 Proceed with negotiation."
|  2025-03-03T00:09:33.665392
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: FTP command:
Client "120.121.122.123", "USER username"
|  2025-03-03T00:09:33.665409
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: [username]
FTP response: Client "120.121.122.123", "331 Please specify the password."
|  2025-03-03T00:09:33.684880
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: [username]
FTP command: Client "120.121.122.123", "PASS <password>"
*|  2025-03-03T00:09:33.687619
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2223]: [username]
FAIL LOGIN: Client "120.121.122.123"*
|  2025-03-03T00:09:34.687834
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: [username]
FTP response: Client "120.121.122.123", "530 Login incorrect."
|  2025-03-03T00:09:34.717158
ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[2224]: DEBUG: Client
"120.121.122.123", "Control connection terminated without SSL shutdown."
`-

$ *fail2ban-regex systemd-journal lighttpd-auth --print-all-missed*
Running tests
=============
Use             jail : lighttpd-auth
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : _SYSTEMD_UNIT=lighttpd.service + _COMM=lighttpd
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Lines: 19 lines, 0 ignored, 0 matched, 19 missed
[processed in 0.00 sec]
|- Missed line(s):
|  2025-03-03T00:11:20.182918
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 19.18.17.16 - [03/Mar/2025:00:11:20 +0100] "GET / HTTP/2.0"
401 347 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/129.0.6550.0 Safari/537.36"
*|  2025-03-03T00:11:22.973340
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
(mod_auth.c.853) password doesn't match for / username: user1 IP:
120.121.122.123*
|  2025-03-03T00:11:22.973377
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 19.18.17.16 - [03/Mar/2025:00:11:22 +0100] "GET / HTTP/2.0"
401 347 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/129.0.6550.0 Safari/537.36"
|  2025-03-03T00:11:23.974586
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 - - [03/Mar/2025:00:11:23 +0100] "PRI * HTTP/2.0" 100 948
"-" "-"
*|  2025-03-03T00:11:27.203355
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
(mod_auth.c.853) password doesn't match for / username: user2 IP:
120.121.122.123*
|  2025-03-03T00:11:27.203386
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 19.18.17.16 - [03/Mar/2025:00:11:26 +0100] "GET / HTTP/2.0"
401 347 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/129.0.6550.0 Safari/537.36"
|  2025-03-03T00:11:27.217293
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 - - [03/Mar/2025:00:11:26 +0100] "PRI * HTTP/2.0" 100 545
"-" "-"
*|  2025-03-03T00:11:29.959598
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
(mod_auth.c.853) password doesn't match for / username: user3 IP:
120.121.122.123*
|  2025-03-03T00:11:29.959629
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 19.18.17.16 - [03/Mar/2025:00:11:29 +0100] "GET / HTTP/2.0"
401 347 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/129.0.6550.0 Safari/537.36"
|  2025-03-03T00:11:29.976120
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 - - [03/Mar/2025:00:11:29 +0100] "PRI * HTTP/2.0" 100 545
"-" "-"
*|  2025-03-03T00:11:33.089313
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
(mod_auth.c.853) password doesn't match for / username: user4 IP:
120.121.122.123*
|  2025-03-03T00:11:33.089343
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 19.18.17.16 - [03/Mar/2025:00:11:32 +0100] "GET / HTTP/2.0"
401 347 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/129.0.6550.0 Safari/537.36"
|  2025-03-03T00:11:33.111960
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 - - [03/Mar/2025:00:11:32 +0100] "PRI * HTTP/2.0" 100 545
"-" "-"
*|  2025-03-03T00:11:36.245430
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
(mod_auth.c.853) password doesn't match for / username: user5 IP:
120.121.122.123*
|  2025-03-03T00:11:36.245462
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 19.18.17.16 - [03/Mar/2025:00:11:36 +0100] "GET / HTTP/2.0"
401 347 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/129.0.6550.0 Safari/537.36"
|  2025-03-03T00:11:36.258874
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 - - [03/Mar/2025:00:11:36 +0100] "PRI * HTTP/2.0" 100 545
"-" "-"
*|  2025-03-03T00:11:38.908989
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
(mod_auth.c.853) password doesn't match for / username: user6 IP:
120.121.122.123*
|  2025-03-03T00:11:38.909019
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 19.18.17.16 - [03/Mar/2025:00:11:38 +0100] "GET / HTTP/2.0"
401 347 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/129.0.6550.0 Safari/537.36"
|  2025-03-03T00:11:38.926965
ip-172-31-3-150.ap-southeast-2.compute.internal lighttpd[1855]:
120.121.122.123 - - [03/Mar/2025:00:11:38 +0100] "PRI * HTTP/2.0" 100 545
"-" "-"
`-

$ *sudo fail2ban-client status vsftpd*
Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- Journal matches: _SYSTEMD_UNIT=vsftpd.service + _COMM=vsftpd
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

$ *sudo fail2ban-client status lighttpd-auth*
Status for the jail: lighttpd-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- Journal matches: _SYSTEMD_UNIT=lighttpd.service + _COMM=lighttpd
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

On the other hand, SSHD is catching the failed auth attempts:

$ *sudo fail2ban-client status sshd*
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 5
|  `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd +
_COMM=sshd-session
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list: 10.11.12.13

My jail files look like this:

[sshd]
enabled=true
backend = systemd
logpath = journal

[vsftpd]
enabled = true
backend = systemd
filter = vsftpd
journalmatch = _SYSTEMD_UNIT=vsftpd.service + _COMM=vsftpd

[lighttpd-auth]
enabled = true
backend = systemd
filter  = lighttpd-auth
journalmatch = _SYSTEMD_UNIT=lighttpd.service + _COMM=lighttpd

Please advise!

-- 

Lucian Maly
lucky[@]senior.[cz]
lmaly[@]redhat.[com]

Legal Disclaimer:
The information contained in this message may be privileged and
confidential. It is intended to be read only by the individual or entity to
whom it is addressed or by their designee. If the reader of this message is
not the intended recipient, you are on notice that any distribution of this
message, in any form, is strictly prohibited and can lead to legal process
in front of the court. If you have received this message in error, please
immediately notify the sender and delete or destroy any copy of this
message!

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Bug in the existing filters - lighttpd-auth, vsftpd

Reply via email to