Support for vsftpd Login Failures

Post Reply
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

It won't scan that line as it's not an IP address. lfd doesn't do DNS lookups on domain names.
Top
lamnk
Junior Member
Posts: 2
Joined: 24 Sep 2010, 15:30

Re: Support for vsftpd Login Failures

Post by lamnk »

It seems this problem hasn't got fixed. I have enabled FTP login failure detection but LFD still doesn't block them:

Code: Select all

root@lamnk:/var/log# grep vsftpd /var/log/secure

Sep 23 07:16:13 lamnk vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep 23 07:16:13 lamnk vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=123.189.26.74 
Sep 23 07:16:13 lamnk vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user admin
Sep 23 07:16:14 lamnk vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep 23 07:16:14 lamnk vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=123.189.26.74 
Sep 23 07:16:14 lamnk vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user test
Sep 23 07:16:16 lamnk vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep 23 07:16:16 lamnk vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=web rhost=123.189.26.74 
Sep 23 07:16:16 lamnk vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user web
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: Support for vsftpd Login Failures

Post by chirpy »

It was resolved. What you have posted is a completely different log line format. If you want to detect it, you'll need to construct a custom regex in regex.custom.pm
Top
lamnk
Junior Member
Posts: 2
Joined: 24 Sep 2010, 15:30

Re: Support for vsftpd Login Failures

Post by lamnk »

Thank you chirpy !

Could you please have a look at the regex i added (stolen from your vsftpd line in regex.pm)?

Code: Select all

if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($line =~ /^\w+ \d{2} \d{2}:\d{2}:\d{2} (\S+) vsftpd: pam_unix\(vsftpd:auth\): authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=(\S*)\s+rhost=(\S+)\s+/)) {
        $host = $1; $ip = $2; $acc = $3; $ip =~ s/^::ffff://;
        if (&checkip($ip)) {
                return ("Failed FTP login on", $host, "from",$ip, " | ", $acc,"vsftpd")
        } else {
                return
        }
}
Top
Post Reply

Return to “Suggestions (csf)”