ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

vsftpd logins not being blocked

https://mail.forum.configserver.com/viewtopic.php?t=9043

Page 1 of 1

vsftpd logins not being blocked

Posted: 26 Oct 2015, 21:53
by justinb
I have tried looking though the forum only to read that the regex has been updated but the authentication failures are not being blocked after multiple tries. I have it set to block ftp after 3 attempts but it never blocks any users like the sshd login attempts do. Can anyone give me any advice to what I may have over looked or how to add a custom regex to catch the people trying to hack my server.

Here is part of the secure log:

Oct 26 15:24:15 server3 vsftpd[8069]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=115.29.108.86
Oct 26 15:24:15 server3 vsftpd[8069]: pam_succeed_if(vsftpd:auth): error retrieving information about user anonymous
Oct 26 15:24:23 server3 vsftpd[8085]: pam_unix(vsftpd:auth): check pass; user unknown
Oct 26 15:24:23 server3 vsftpd[8085]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=lcu rhost=115.29.108.86
Oct 26 15:24:23 server3 vsftpd[8085]: pam_succeed_if(vsftpd:auth): error retrieving information about user lcu
Oct 26 15:24:29 server3 vsftpd[8094]: pam_unix(vsftpd:auth): check pass; user unknown
Oct 26 15:24:29 server3 vsftpd[8094]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=lcu rhost=115.29.108.86
Oct 26 15:24:29 server3 vsftpd[8094]: pam_succeed_if(vsftpd:auth): error retrieving information about user lcu
Oct 26 15:24:43 server3 vsftpd[8100]: pam_unix(vsftpd:auth): check pass; user unknown
Oct 26 15:24:43 server3 vsftpd[8100]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=www rhost=115.29.108.86
Oct 26 15:24:43 server3 vsftpd[8100]: pam_succeed_if(vsftpd:auth): error retrieving information about user www

Re: vsftpd logins not being blocked

Posted: 03 Nov 2015, 13:14
by roirm
I've found this thread: viewtopic.php?t=1344&start=10... Does it help?

Re: vsftpd logins not being blocked

Posted: 05 Nov 2015, 06:10
by Elizine
Hi,

Please try the following steps -

Run "fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf" (or equal). Do you get a "Success, the total number of match is xyz" message at the end? If not: Check if the logfile entries fits the regexpression in filter.d/vsftpd.conf

Check the timestamps in the vsftpd.log. You may need to add "use_localtime=YES" to /etc/vsftpd/vsftpd.conf

Check file: /etc/vsftpd/vsftpd.conf and add the line: "dual_log_enable=YES" without the quotes
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited