Fail2ban启动okey。 它使用我的sshdfilter,并禁止IP地址。 但是使用vsftpd它在运行时不会注册失败的login名:
fail2ban-client status vsftpd 我已经尝试了auth.log和vsftpd.log。 文件path从我真正出于安全原因而改变,并不是真正的/path/to/thelog.log
vsftpd.log :
Status for the jail: vsftpd |- filter | |- File list: /path/to/vsftpd.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
auth.log :
Status for the jail: vsftpd |- filter | |- File list: /path/to/auth.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
但是使用fail2ban-regex它会捕获失败的login信息。
vsftpd.log :
Running tests ============= Use failregex file : /etc/fail2ban/filter.d/vsftpd.conf Use log file : /path/to/vsftpd.log Results ======= Failregex: 16 total |- #) [# of hits] regular expression | 2) [16] ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [806] WEEKDAY MONTH Day Hour:Minute:Second Year `- Lines: 806 lines, 0 ignored, 16 matched, 790 missed Missed line(s): too many to print. Use --print-all-missed to print all 790 lines
auth.log :
Running tests ============= Use failregex file : /etc/fail2ban/filter.d/vsftpd.conf Use log file : /path/to/auth.log Results ======= Failregex: 16 total |- #) [# of hits] regular expression | 1) [16] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\])?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?vsftpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?vsftpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*\(?pam_unix(?:\(\S+\))?\)?:?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [9174] MONTH Day Hour:Minute:Second `- Lines: 9174 lines, 0 ignored, 16 matched, 9158 missed Missed line(s): too many to print. Use --print-all-missed to print all 9158 lines
我已经通过testing失败login正确的密码(login错误的密码是:))和fail2ban-regex号码不断上升,但监狱的状态仍然是0和三个失败的login不会触发禁令。
jail.local :
[vsftpd] enable = true filter = vsftpd action = iptables-multiport[name=vsftpd, port="20, 21, 10204, 10205"] logpath = /path/to/auth.log bantime = 60 maxretry = 3
禁令60秒只在testing期间。
任何想法,为什么它不工作?
vsftpd.log拒绝日志看起来像:
Wed Jun 29 14:57:37 2016 [pid 2517] [username] FTP response: Client "::ffff:192.168.0.100", "530 Permission denied."
和缺省failregex WHICH不工作在fail2banconfiguration文件位于“ /etc/fail2ban/filter.d/vsftpd.conf ”看起来像
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
所以你需要改变failregex到以下使它与vsftpd
failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$
检查图片的确切编辑,因为上面的string缺less一些字符。 https://s31.postimg.org/pdv5m5he3/fail2ban_vsftpd2.png
在Ubuntu上用vsftpd检查:版本3.0.3
你的日志文件存储在哪里?
他们在/scripts/logs/vsftpd.log和/scripts/logs/auth.log? 那就是fail2ban守护进程正在根据你的jail.local寻找它们的地方。
因为在你的fail2ban-regex输出粘贴中,就是说它使用了/path/to/vsftpd.log和/path/to/auth.log。
你刚才删除了/ scripts / logs / fail2ban-regex输出并粘贴到/ path / to /占位符? 或者你的日志实际上在/path/到/?
