Page 1 of 1

fail2ban help

Posted: 2007/09/02 01:19:58
by reckless2k2
I'm hoping someone can help me out with my "failregex" for vsftpd in fail2ban. I can't seem to get the string correct or maybe my logfile location is incorrect. I've attached the vsftpd section of my fail2ban.conf in /etc. Here is the version: fail2ban-0.6.2-1.el4.rf

Thanks for any help.

# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
enabled = true

# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
logfile = /var/log/messages

# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
port = ftp

# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
timepattern = %%b %%d %%H:%%M:%%S

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)[/code]

Re: fail2ban help

Posted: 2007/09/07 18:02:56
by reckless2k2
so there are no fail2ban ninjas around here? i figure this would be a very useful server tool and i'd find some expertise in this place. i'm surprised i'm alone in this place trying to run this. is everyone else running denyhosts or just not bothering with anything at all?

fail2ban help

Posted: 2007/09/07 21:54:30
by michaelnel
I ran fail2ban until I discovered denyhosts. I switched all of our servers over to denyhosts.