Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
Y
Y
yorm2014-05-24 21:14:54
CentOS
yorm, 2014-05-24 21:14:54

Configuring fail2ban for vsftpd

CentOS 6. Logs are growing every second in recent days, fail2ban can't cope.
/var/log/secure:

May 25 00:48:18 localhost fail2ban.filter : WARNING Unable to find a corresponding IP address for cable-181-133-26-174.une.net.co: [Errno -2] Name or service not known
May 25 00:48:18 localhost fail2ban.filter : WARNING Unable to find a corresponding IP address for cable-181-133-26-174.une.net.co: [Errno -2] Name or service not known
May 25 00:48:18 localhost fail2ban.filter : WARNING Unable to find a corresponding IP address for cable-181-133-26-174.une.net.co: [Errno -2] Name or service not known
May 25 00:48:18 localhost fail2ban.filter : WARNING Unable to find a corresponding IP address for cable-181-133-26-174.une.net.co: [Errno -2] Name or service not known
May 25 00:48:18 localhost fail2ban.filter : WARNING Unable to find a corresponding IP address for cable-181-133-26-174.une.net.co: [Errno -2] Name or service not known

- 45 lines in 1 second, and there are a lot of seconds.
/var/log/messages
May 25 00:48:02 localhost vsftpd[20600]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 rhost=201-211-198-200.genericrev.cantv.net 
May 25 00:48:02 localhost vsftpd[20600]: pam_succeed_if(vsftpd:auth): error retrieving information about user test123
May 25 00:48:07 localhost vsftpd[20602]: pam_unix(vsftpd:auth): check pass; user unknown
May 25 00:48:07 localhost vsftpd[20602]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 rhost=201-211-198-200.genericrev.cantv.net 
May 25 00:48:07 localhost vsftpd[20602]: pam_succeed_if(vsftpd:auth): error retrieving information about user test123
May 25 00:48:37 localhost vsftpd[20604]: pam_unix(vsftpd:auth): check pass; user unknown
May 25 00:48:37 localhost vsftpd[20604]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 rhost=201-211-198-200.genericrev.cantv.net 
May 25 00:48:37 localhost vsftpd[20604]: pam_succeed_if(vsftpd:auth): error retrieving information about user test123
May 25 00:48:42 localhost vsftpd[20606]: pam_unix(vsftpd:auth): check pass; user unknown
May 25 00:48:42 localhost vsftpd[20606]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 rhost=201-211-198-200.genericrev.cantv.net 
May 25 00:48:42 localhost vsftpd[20606]: pam_succeed_if(vsftpd:auth): error retrieving information about user test123
May 25 00:48:48 localhost vsftpd[20608]: pam_unix(vsftpd:auth): check pass; user unknown
May 25 00:48:48 localhost vsftpd[20608]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 rhost=201-211-198-200.genericrev.cantv.net 
May 25 00:48:48 localhost vsftpd[20608]: pam_succeed_if(vsftpd:auth): error retrieving information about user test123

/etc/fail2ban/jail.conf:
[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, [email protected]]
logpath  = /var/log/secure
maxretry = 4
bantime  = 259200

/etc/fail2ban/filter.d/vsftpd.conf:
# Fail2Ban filter for vsftp
#

[INCLUDES]

before = common.conf

[Definition]

__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
_daemon =  vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

ignoreregex = 

# Author: Cyril Jaquier

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
Y
yorm, 2014-06-01
@yorm

Despite the number of replies, I seem to have figured it out.
The only problem is that fail2ban wants to see the IPs, and vsftpd resolves them into dns names.
Here: www.fail2ban.org/wiki/index.php/FAQ_english there is a tip at the bottom:
Scenario : VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure
Problem : PAM sends failed login information to /var/log/secure, but the remote server's IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.
Fix: Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch /var/log/vsftpd.log instead. This log file shows the incoming ip address instead of the DNS name.
Accordingly, I added
to /etc/vsftpd/vsftpd.conf . Restarted the service, checked that a new log appeared. Changed the /etc/fail2ban/jail.conf setting of the log location to
and restarted the second service.

Similar questions
A
Alexander Petrov2015-10-02 13:37:10
Can't start unicorn. It gives an error, how to fix it? 1Reply
P
Puma Thailand2011-04-08 10:20:52
Who achieved speed of record on samba more than 80 megabytes per second? 5Reply
T
Tupic1232020-04-21 19:34:16
Why Problem starting 3proxy? 3Reply
Z
zzmaster2018-02-12 15:10:09
Why can't tar see the file? 1Reply
S
SuperNatural2015-10-10 00:39:05
How could large folders disappear on centos server? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question