Vsftpd
From Fail2ban
vsftpd, which stands for "Very Secure FTP Daemon", is an FTP server. It is licensed under the GNU General Public License. It supports IPv6 and SSL.
vsftpd is the default FTP server in Ubuntu, Fedora Core, Red Hat Enterprise Linux and a number of other distributions.
[edit] Logging Outputs
Below are logging outputs of this software. These examples should be detected by Fail2ban. Please remove any confidential information before saving this page. Change IP addresses to 192.0.2.0/24.
If the offending host is not trivially visible in the logging output, please give more detailed information.
- Tue Jan 23 14:04:09 2007 [pid 55555] [Administrator] FAIL LOGIN: Client "123.123.123.123"
- Jan 23 14:04:14 Fedora6Srv1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=123.123.123.123
[edit] Failregex
The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.
The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.
Please, before editing this section, propose your changes in the discussion page first.
- vsftpd: .* authentication failure; .* rhost=<HOST>$
- \[. \] FAIL LOGIN: Client "<HOST>"$
[edit] Problem Soving
Everything seems to work but no hosts are blocked? Try the following steps:
- Run "fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf" (or equal). Do you get a "Success, the total number of match is xyz" message at the end? If not: Check if the logfile entries fits the regexpression in filter.d/vsftpd.conf
- Check the timestamps in the vsftpd.log. You may need to add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf
