https://serverfault.com/posts/1095745/timeline
Using fail2ban to secure the vsftp login:
jail.local
[vsftpd]
enabled
=
true
bantime
=
600
findtime
=
5000
maxretry
=
1
port
= ftp,ftp-data
action
= iptables-multiport
logpath
= /var/log/vsftpd/vsftpd.log
Regex is matching, as you can see here:
fail2ban-regex /var/log/vsftpd/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf
--print-all-matched
Running
tests
=============
Use failregex filter file :
vsftpd,
basedir:
/etc/fail2ban
Use datepattern :
{
^LN-BEG
}
:
Default
Detectors
Use log file :
/var/log/vsftpd/vsftpd.log
Use encoding :
UTF-8
Results
=======
Failregex:
23
total
|-
#) [# of hits] regular expression
|
2
)
[
23
]
^
\[pid
\d+\]
\[[^\]]+\]
FAIL LOGIN:
Client
"<HOST>"
(?:\s*$|,)
`-
Ignoreregex:
0
total
Date template hits:
|-
[
# of hits] date format
|
[
385
] {
^LN-BEG
}
(?:DAY
)?MON
Day
%k:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
`-
Lines:
385
lines
,
0
ignored
,
23
matched
,
362
missed
[
processed
in
0.03
sec
]
|-
Matched
line(s):
|
Wed
Mar
9
08
:36:06
2022
[
pid
2619415
] [
bla
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:36:13
2022
[
pid
2619420
] [
bla
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:36:18
2022
[
pid
2619422
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:36:30
2022
[
pid
2619425
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:36:37
2022
[
pid
2619508
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:36:45
2022
[
pid
2619511
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:36:53
2022
[
pid
2619514
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:47:39
2022
[
pid
2620744
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:47:47
2022
[
pid
2620746
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:47:55
2022
[
pid
2620748
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:48:03
2022
[
pid
2620763
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:48:12
2022
[
pid
2620767
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:48:12
2022
[
pid
2620766
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:55:07
2022
[
pid
2621558
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:55:15
2022
[
pid
2621560
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:55:23
2022
[
pid
2621562
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:55:23
2022
[
pid
2621564
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
08
:55:26
2022
[
pid
2621566
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
09
:36:56
2022
[
pid
2627379
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
09
:37:48
2022
[
pid
2627498
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
09
:37:57
2022
[
pid
2627500
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
09
:37:57
2022
[
pid
2627501
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
|
Wed
Mar
9
09
:37:58
2022
[
pid
2627504
] [
blaas
]
FAIL LOGIN:
Client
"some_IP"
`-
Missed
line(s):
too
many
to
print.
Use
--print-all-missed
to
print
all
362
lines
Checking with fail2ban cli / fail2ban-client status vsftpd
Status for the jail:
vsftpd
|-
Filter
|
|-
Currently failed:
0
|
|-
Total failed:
0
|
`-
Journal matches:
`-
Actions
|-
Currently banned:
0
|-
Total banned:
0
`-
Banned IP list:
Any idea what may cause this not banning the "matched" IPs / how to debug
further?_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
