I have tried looking though the forum only to read that the regex has been updated but the authentication failures are not being blocked after multiple tries. I have it set to block ftp after 3 attempts but it never blocks any users like the sshd login attempts do. Can anyone give me any advice to what I may have over looked or how to add a custom regex to catch the people trying to hack my server.
Here is part of the secure log:
Oct 26 15:24:15 server3 vsftpd[8069]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=115.29.108.86
Oct 26 15:24:15 server3 vsftpd[8069]: pam_succeed_if(vsftpd:auth): error retrieving information about user anonymous
Oct 26 15:24:23 server3 vsftpd[8085]: pam_unix(vsftpd:auth): check pass; user unknown
Oct 26 15:24:23 server3 vsftpd[8085]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=lcu rhost=115.29.108.86
Oct 26 15:24:23 server3 vsftpd[8085]: pam_succeed_if(vsftpd:auth): error retrieving information about user lcu
Oct 26 15:24:29 server3 vsftpd[8094]: pam_unix(vsftpd:auth): check pass; user unknown
Oct 26 15:24:29 server3 vsftpd[8094]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=lcu rhost=115.29.108.86
Oct 26 15:24:29 server3 vsftpd[8094]: pam_succeed_if(vsftpd:auth): error retrieving information about user lcu
Oct 26 15:24:43 server3 vsftpd[8100]: pam_unix(vsftpd:auth): check pass; user unknown
Oct 26 15:24:43 server3 vsftpd[8100]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=www rhost=115.29.108.86
Oct 26 15:24:43 server3 vsftpd[8100]: pam_succeed_if(vsftpd:auth): error retrieving information about user www
vsftpd logins not being blocked
Re: vsftpd logins not being blocked
I've found this thread: viewtopic.php?t=1344&start=10... Does it help?
Re: vsftpd logins not being blocked
Hi,
Please try the following steps -
Run "fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf" (or equal). Do you get a "Success, the total number of match is xyz" message at the end? If not: Check if the logfile entries fits the regexpression in filter.d/vsftpd.conf
Check the timestamps in the vsftpd.log. You may need to add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf
Check file: /etc/vsftpd/vsftpd.conf and add the line: "dual_log_enable=YES" without the quotes
Please try the following steps -
Run "fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf" (or equal). Do you get a "Success, the total number of match is xyz" message at the end? If not: Check if the logfile entries fits the regexpression in filter.d/vsftpd.conf
Check the timestamps in the vsftpd.log. You may need to add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf
Check file: /etc/vsftpd/vsftpd.conf and add the line: "dual_log_enable=YES" without the quotes