Results 1 to 4 of 4

Thread: Fail2ban for pure-ftp

  1. #1
    Join Date
    May 2007
    Beans
    71

    Fail2ban for pure-ftp

    I'm looking for anyone who has had luck getting fail2ban to work with pure-ftp. I keep getting log entries like:
    Code:
    Nov 14 15:39:05 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
    Nov 14 15:39:18 web1 pure-ftpd: (?@60.217.229.228) [INFO] PAM_RHOST enabled. Getting the peer address
    Nov 14 15:39:20 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
    Nov 14 15:39:32 web1 pure-ftpd: (?@60.217.229.228) [INFO] PAM_RHOST enabled. Getting the peer address
    Nov 14 15:39:34 web1 pure-ftpd: (?@60.217.229.228) [WARNING] Authentication failed for user [administrator]
    my fail2ban failregex for pure-ftpd is now:
    Code:
    failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$
    failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[INFO\] %(__errmsg)s \[.+\]$
    So far I haven't blocked a single one.
    Last edited by wxman; November 14th, 2009 at 10:08 PM.

  2. #2
    Join Date
    Jan 2006
    Beans
    4
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: Fail2ban for pure-ftp

    Quote Originally Posted by wxman View Post

    my fail2ban failregex for pure-ftpd is now:
    Code:
    failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$
    failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[INFO\] %(__errmsg)s \[.+\]$
    So far I haven't blocked a single one.
    I only use the top line (containing WARNING), and ip's are blocked regularly. This is my complete /etc/fail2ban/filter.d/pure-ftpd.conf :

    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    # Modified: Yaroslav Halchenko for pure-ftpd
    #
    # $Revision: 3$
    #
    
    [Definition]
    
    # Error message specified in multiple languages
    __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
    
    #
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #         host must be matched by a group named "host". The tag "<HOST>" can
    #         be used for standard IP/hostname matching and is only an alias for
    #         (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    #
    failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$
    #origineel: failregex = pure-ftpd (?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    Be sure to add the following to /etc/fail2ban/jail.conf

    Code:
    [pure-ftpd]
    
    enabled  = true
    port     = ftp,ftp-data,ftps,ftps-data
    filter   = pure-ftpd
    logpath  = /var/log/messages
    maxretry = 5
    Greetings, Sander

  3. #3
    Join Date
    May 2007
    Beans
    71

    Re: Fail2ban for pure-ftp

    Thanks for the reply. I'm now trying this pair:
    Code:
    # Error message specified in multiple languages
    __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
    
    failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
    failregex = .*pure-ftpd: \(.*@<HOST>\) \[INFO\] PAM_RHOST enabled. Getting the peer address.*
    So far this has been doing okay, but I also noticed a new trick. I got nearly a day's worth of entries from one attacker that would make two tries, stop for 10 minutes, then do two more tries. Fail2ban, of course, didn't see it as an attack, so it ignored it. I'll try your suggestion next.

  4. #4

    Re: Fail2ban for pure-ftp

    I got it working by following this tutorial for Fail2ban on Ubuntu 10.04:

    http://itswapshop.com/content/how-in...-and-pure-ftpd

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •