github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #382 from grooverdan/vsftpd 

Vsftpd
pull/381/merge
Yaroslav Halchenko 2013-10-08 19:47:38 -07:00
parent 1a2354a3e1 46386412a4
commit a7b1b802e0
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -76,6 +76,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
* filter.d/apache-auth - added expressions for mod_authz, mod_auth and * filter.d/apache-auth - added expressions for mod_authz, mod_auth and
mod_auth_digest failures. mod_auth_digest failures.
* filter.d/recidive -- support f2b syslog target and anchor regex at start * filter.d/recidive -- support f2b syslog target and anchor regex at start
* filter.d/vsftpd - anchored regex at start. disable old pam format regex
* filter.d/pam-generic - added syslog prefix. Disabled support for * filter.d/pam-generic - added syslog prefix. Disabled support for
linux-pam before version 0.99.2.0 (2005) linux-pam before version 0.99.2.0 (2005)
* filter.d/gssftpd - anchored regex at start * filter.d/gssftpd - anchored regex at start

11
config/filter.d/vsftpd.conf
View File

@ -4,8 +4,15 @@
# #
# #
[INCLUDES]
before = common.conf
[Definition] [Definition]
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
_daemon = vsftpd
# Option: failregex # Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
@ -13,8 +20,8 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty= ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$ ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

4
testcases/files/logs/vsftpd
View File

@ -1,7 +1,9 @@
#1 PAM based #1 PAM based
# failJSON: { "time": "2004-10-11T01:06:47", "match": true , "host": "209.67.1.67" } # failJSON: { "time": "2004-10-11T01:06:47", "match": true , "host": "209.67.1.67" }
Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67 Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67
# failJSON: { "time": "2005-02-06T12:02:29", "match": true , "host": "64.168.103.1" }
# Pam pre 0.99.2.0 - https://github.com/fail2ban/fail2ban/pull/358
# failJSON: { "time": "2005-02-06T12:02:29", "match": false , "host": "64.168.103.1" }
Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1 Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1
#2 Internal #2 Internal