Fail2ban does not ban any ip-adresses with vsftpd

Question

Fail2ban starts okey. It work with my sshd filter and bans IP-adresses as it should. But with vsftpd it does not register failed logins when I run:

fail2ban-client status vsftpd

I have tried both the auth.log and vsftpd.log. The file path is changed from what I really have for security reasons and are not really /path/to/thelog.log

vsftpd.log:

Status for the jail: vsftpd
|- filter
|  |- File list:    /path/to/vsftpd.log 
|  |- Currently failed: 0
|  `- Total failed: 0
`- action
   |- Currently banned: 0
   |  `- IP list:   
   `- Total banned: 0

auth.log:

Status for the jail: vsftpd
|- filter
|  |- File list:    /path/to/auth.log 
|  |- Currently failed: 0
|  `- Total failed: 0
`- action
   |- Currently banned: 0
   |  `- IP list:   
   `- Total banned: 0

But with fail2ban-regex it catches the failed logins.

vsftpd.log:

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/vsftpd.conf
Use         log file : /path/to/vsftpd.log


Results
=======

Failregex: 16 total
|-  #) [# of hits] regular expression
|   2) [16] ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [806] WEEKDAY MONTH Day Hour:Minute:Second Year
`-

Lines: 806 lines, 0 ignored, 16 matched, 790 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 790 lines

auth.log:

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/vsftpd.conf
Use         log file : /path/to/auth.log


Results
=======

Failregex: 16 total
|-  #) [# of hits] regular expression
|   1) [16] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\])?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?vsftpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?vsftpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*\(?pam_unix(?:\(\S+\))?\)?:?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [9174] MONTH Day Hour:Minute:Second
`-

Lines: 9174 lines, 0 ignored, 16 matched, 9158 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 9158 lines

I've tested by failing to login with the right password (logging in the wrong password that is :) ) and with fail2ban-regex the number keeps rising but the status for the jail is still 0 and three failed logins do not trigger a ban.

jail.local:

[vsftpd]
enable     = true
filter     = vsftpd
action     = iptables-multiport[name=vsftpd, port="20, 21, 10204, 10205"]
logpath    = /path/to/auth.log
bantime   = 60
maxretry   = 3

bantime 60 sec is only during testing.

Any ideas why it's not working?

It's a setting in your `jail.conf` file. Usually people forget this and the gap between attemps is smaller than the find time so noone gets banned. — Xavier Lucas, Nov 02 '14 at 19:22
What is a good findtime? Seems like 600 seconds is default according to fail2ban manual. — user251959, Nov 02 '14 at 20:17
There's no rule of thumb, it depends on what you see in your logs and your banning policy. — Xavier Lucas, Nov 02 '14 at 22:13

score 4 · Answer 1 · edited Mar 30 '20 at 13:23

vsftpd.log deny log looks like:

Wed Jun 29 14:57:37 2016 [pid 2517] [username] FTP response: Client "::ffff:192.168.0.100", "530 Permission denied."

and the default failregex WHICH isn't working in fail2ban config file located "/etc/fail2ban/filter.d/vsftpd.conf" looks like

failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$

So you need to change failregex to the following to get it working with vsftpd

failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$

Checked on Ubuntu with vsftpd: version 3.0.3

Thanks a lot. I hadn't the "::ffff:" in front of the IP. So "" worked for me. Also added the original regex after this new one. — Mtxz, Sep 14 '22 at 20:43

score 1 · Answer 2 · answered Mar 30 '20 at 13:15

1

I think you have a typo in your jail.local. It's enabled = true not enable.

You should check your fail2ban.log that contains a line like:

INFO    Jail 'vsftpd' started

answered Mar 30 '20 at 13:15

sgargel

190
1
15

score 0 · Answer 3 · answered Nov 02 '14 at 14:42

0

Where are your log files stored?

Are they in /scripts/logs/vsftpd.log and /scripts/logs/auth.log? That is where the fail2ban daemon is looking for them as per your jail.local.

Because in your fail2ban-regex output pastes, it is saying it is using /path/to/vsftpd.log and /path/to/auth.log.

Did you just cut out the /scripts/logs/ from the fail2ban-regex outputs and paste in the /path/to/ placeholders? Or are your logs actually in /path/to/?

answered Nov 02 '14 at 14:42

Justin L. Franks

351
3
6

I was trying to just use placeholders to not show the actual path but failed on jail.local. They are in scripts/logs folder. – user251959 Nov 02 '14 at 18:19
Yeah, that's what I figured, but I had to be sure -- maybe you had copy/pasted the vsftpd.conf from somewhere and didn't edit the path. – Justin L. Franks Nov 02 '14 at 23:43

score -1 · Answer 4 · edited Mar 18 '18 at 21:39

-1

dual_log_enable=YES

This setting enable DNS and IP search

edited Mar 18 '18 at 21:39

Alexander Tolkachev

4,608
3
14
23

answered Mar 18 '18 at 21:17

Antony Ilganaev

1

Fail2ban does not ban any ip-adresses with vsftpd

4 Answers4

Linked