Difference between revisions of "Talk:ProFTPd"

From Fail2ban
Jump to: navigation, search
(New page: failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ /var/log/secure:Jul 3 14:33:30 xkmail proftpd[12639]: xkmail.hopto.org (pe1950-2.sni.ne.jp[61.7.1.109]) - USER ad...)
 
m
 
(30 intermediate revisions by 10 users not shown)
Line 1: Line 1:
 
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
 
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
  
/var/log/secure:Jul  3 14:33:30 xkmail proftpd[12639]: xkmail.hopto.org (pe1950-2.sni.ne.jp[61.7.1.109]) - USER adriana: no such user found from pe1950-2.sni.ne.jp [61.7.1.109] to 71.105.58.80:21
+
/var/log/secure:Jul  3 14:33:30 xkmail proftpd[12639]: xkmail.hopto.org  
 +
(pe1950-2.sni.ne.jp[61.7.1.109]) - USER adriana: no such user found from  
 +
pe1950-2.sni.ne.jp [61.7.1.109] to 71.105.58.80:21
  
 
I got hit by this about 1400 times today but fail2ban did not jail ip address.
 
I got hit by this about 1400 times today but fail2ban did not jail ip address.
Line 8: Line 10:
 
kevin@xkmail.hopto.org ver .80 fedora 4
 
kevin@xkmail.hopto.org ver .80 fedora 4
  
 +
<pre>
 
# Fail2Ban configuration file
 
# Fail2Ban configuration file
 
#
 
#
Line 31: Line 34:
 
#
 
#
 
ignoreregex =
 
ignoreregex =
 +
</pre>
 +
 +
<pre>
 +
As Yaroslav Halchenko mentioned right in the mailing list each failregex has
 +
to contain \s+$ at the end, expect the one for "no such user found from" there
 +
is a \s* for zero or more whitespaces needed.
 +
 +
[Definition]
 +
 +
# Option: failregex
 +
# Notes.: regex to match the password failures messages in the logfile. The
 +
#          host must be matched by a group named "host". The tag "<HOST>" can
 +
#          be used for standard IP/hostname matching and is only an alias for
 +
#          (?:::f{4,6}:)?(?P<host>\S+)
 +
# Values: TEXT
 +
#
 +
# failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
 +
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+\s*$
 +
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.\s+$
 +
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found\.\s+$
 +
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.\s+$
 +
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded\s+$
 +
 +
# Option:  ignoreregex
 +
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 +
# Values:  TEXT
 +
#
 +
ignoreregex =
 +
 +
I've just tested it with fail2ban 0.8.2-3 on Debian etch 4.0 Before this change i had also the problem,
 +
that fail2ban didn't react on bad login attempts on ftp.
 +
</pre>
 +
 +
<pre>
 +
Latest working settings for ProFTPD on CentOS 5+:
 +
 +
Set jail.conf proftpd section to log /var/log/secure
 +
 +
Edit regex setting in /etc/fail2ban/filter.d/proftpd.conf
 +
 +
replace existing regex setting with this one:
 +
 +
failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$
 +
^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$
 +
^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$
 +
^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$
 +
 +
Test with: -regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf
 +
</pre>

Latest revision as of 02:51, 6 October 2011

failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

/var/log/secure:Jul 3 14:33:30 xkmail proftpd[12639]: xkmail.hopto.org (pe1950-2.sni.ne.jp[61.7.1.109]) - USER adriana: no such user found from pe1950-2.sni.ne.jp [61.7.1.109] to 71.105.58.80:21

I got hit by this about 1400 times today but fail2ban did not jail ip address.

Is the jail.conf wrong? kevin@xkmail.hopto.org ver .80 fedora 4

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
As Yaroslav Halchenko mentioned right in the mailing list each failregex has 
to contain \s+$ at the end, expect the one for "no such user found from" there 
is a \s* for zero or more whitespaces needed.

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+\s*$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.\s+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found\.\s+$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.\s+$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded\s+$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

I've just tested it with fail2ban 0.8.2-3 on Debian etch 4.0 Before this change i had also the problem,
that fail2ban didn't react on bad login attempts on ftp.
Latest working settings for ProFTPD on CentOS 5+:

Set jail.conf proftpd section to log /var/log/secure

Edit regex setting in /etc/fail2ban/filter.d/proftpd.conf

replace existing regex setting with this one:

failregex = ^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$
		^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$
		^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$
		^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$ 

Test with: -regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf