Page 1 of 2

Support for vsftpd Login Failures

Posted: 27 May 2008, 11:01
by Riatsala
I've had thousands of vsftpd login failures in the last few weeks. It would be great to be able to block the offending IPs.

Here's a few lines from /var/log/messages

Code: Select all

May  1 12:43:17 vps vsftpd(pam_unix)[11377]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=72.232.10.66  user=mysql

May 11 00:39:10 vps vsftpd(pam_unix)[22388]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160

May 25 19:59:54 vps vsftpd(pam_unix)[17806]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=65.204.255.101

If blocking these could be added to a future lfd update, I'd really appreciate it!

All the best,
Riatsala

Posted: 27 May 2008, 11:21
by chirpy
I'll look at adding these to regex.pm

Posted: 27 May 2008, 11:57
by Riatsala
Thanks chirpy. :)

Posted: 29 May 2008, 10:53
by Riatsala
Thanks for including this in the latest update. It's blocked a couple of IPs already! :)

I have noticed something strange while browsing the logs. It appears there are actually two types of attack, and only one is getting blocked.

Those who use a legitimate username but wrong password generate a single line in /var/log/messages like the one's above, and these are blocked perfectly.

Those who use an invalid username generate two lines in the log for each attempt, and for some reason they are ignored by lfd.

Code: Select all

May 29 05:02:38 vps vsftpd(pam_unix)[5398]: check pass; user unknown
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
May 29 05:02:46 vps vsftpd(pam_unix)[5442]: check pass; user unknown
May 29 05:02:46 vps vsftpd(pam_unix)[5442]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
May 29 05:02:50 vps vsftpd(pam_unix)[5463]: check pass; user unknown
May 29 05:02:50 vps vsftpd(pam_unix)[5463]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
The second line is exactly the same format as those above, which is why I'm surprised lfd doesn't block it.

People trying to log in with an invalid username isn't much of a threat, so this isn't important, but I am curious to know why these attempts don't get blocked.

All the best,
Riatsala

Posted: 05 Jun 2008, 10:43
by chirpy
I'll check the regex and make sure those are blocked too.

Posted: 24 Aug 2009, 17:37
by Com4
Hi,

I've had thousands of vsftpd login failures the last couple of days and it seems that CSF is not blokking them:

vsftpd:
Unknown Entries:
check pass; user unknown: 2289 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator

**Unmatched Entries**
vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user

I could not find anything about this exept for this topic.

Any help in this case would be appreciated.

Thanks,

Dave

Posted: 10 Sep 2009, 09:46
by chirpy
You need to post the actual login failure log lines that you've configured lfd to scan.

Posted: 16 Jan 2010, 22:23
by Sander
Hi,

I have the same issues.

Several thousand lines in the secure log file like:

May 29 05:02:38 vps vsftpd(pam_unix)[5398]: check pass; user unknown
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160

Can you tell me what you mean with:

"You need to post the actual login failure log lines that you've configured lfd to scan"

Thanks,

Sander

Posted: 22 Jan 2010, 09:58
by chirpy
That's the line I need. That particular one isn't picked up by the regex at present. I'll add it to the dev list.

Posted: 30 Jan 2010, 08:51
by Com4
Hi,

The exact log lines are like this:

Jan 30 03:04:39 serv222 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user anonymous
Jan 30 03:05:10 serv222 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Jan 30 03:05:10 serv222 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=s5593f547.ad


Beside that vsftpd is using the /var/log/secure file to log these errors and not the
default /var/log/messages file that is configured in the csf config file

Thanks,

Dave