From 65d473fc8e3edea0419e061d88dac5586d9c223e Mon Sep 17 00:00:00 2001 From: Lucian Maly Date: Tue, 4 Mar 2025 11:43:38 +1100 Subject: [PATCH 1/6] Added regex for systemd-journal matches of vsftpd --- config/filter.d/vsftpd.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 2ecc44d3..53b1f4b3 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -15,8 +15,9 @@ _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) + ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]) vsftpd\[\d+\]: \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) -ignoreregex = +ignoreregex = # Author: Cyril Jaquier # Documentation from fail2ban wiki From bd4cb606e59e612a6dac124d296389ff28b45f0f Mon Sep 17 00:00:00 2001 From: Lucian Maly Date: Tue, 4 Mar 2025 11:47:49 +1100 Subject: [PATCH 2/6] Added sample log line --- fail2ban/tests/files/logs/vsftpd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fail2ban/tests/files/logs/vsftpd b/fail2ban/tests/files/logs/vsftpd index 3205fac3..747cb6e1 100644 --- a/fail2ban/tests/files/logs/vsftpd +++ b/fail2ban/tests/files/logs/vsftpd @@ -15,3 +15,6 @@ Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logna # failJSON: { "time": "2016-09-08T00:39:49", "match": true , "host": "192.0.2.1" } Thu Sep 8 00:39:49 2016 [pid 15019] [guest] FAIL LOGIN: Client "::ffff:192.0.2.1", "User is not in the allow user list." + +# systemd-journal +2025-03-04T01:06:36.645577 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1658]: [username] FAIL LOGIN: Client "121.251.18.222" From 6e3bfd800c1cd7e8a769e754edc6db5e0e6f11de Mon Sep 17 00:00:00 2001 From: Lucian Maly Date: Tue, 4 Mar 2025 12:26:14 +1100 Subject: [PATCH 3/6] Added author --- config/filter.d/vsftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 53b1f4b3..44646086 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -19,5 +19,5 @@ failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* ignoreregex = -# Author: Cyril Jaquier +# Authors: Cyril Jaquier, Lucian Maly # Documentation from fail2ban wiki From 1e06ab68b4eba5391b78c5da8fbd5d062a965376 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 4 Mar 2025 13:47:59 +0100 Subject: [PATCH 4/6] fixed filter (new regex is unneeded), tests format of failures produced by system journal --- config/filter.d/vsftpd.conf | 3 +-- fail2ban/tests/files/logs/vsftpd | 6 ++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 44646086..859a67c3 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -14,8 +14,7 @@ __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ - ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) - ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]) vsftpd\[\d+\]: \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) + ^(?:\s*\[pid \d+\] |%(__prefix_line)s)\[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) ignoreregex = diff --git a/fail2ban/tests/files/logs/vsftpd b/fail2ban/tests/files/logs/vsftpd index 747cb6e1..ab51fd75 100644 --- a/fail2ban/tests/files/logs/vsftpd +++ b/fail2ban/tests/files/logs/vsftpd @@ -16,5 +16,7 @@ Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logna # failJSON: { "time": "2016-09-08T00:39:49", "match": true , "host": "192.0.2.1" } Thu Sep 8 00:39:49 2016 [pid 15019] [guest] FAIL LOGIN: Client "::ffff:192.0.2.1", "User is not in the allow user list." -# systemd-journal -2025-03-04T01:06:36.645577 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1658]: [username] FAIL LOGIN: Client "121.251.18.222" +# fileOptions: {"logtype": "journal"} + +# failJSON: { "match": true , "host": "192.0.2.222" } +2025-03-04T01:06:36.645577 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1658]: [username] FAIL LOGIN: Client "192.0.2.222" From 94fe9cf4a8ce86c11af71be87f0e682bae210edd Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 4 Mar 2025 14:13:07 +0100 Subject: [PATCH 5/6] more fixes, capture user names, more tests... since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded) --- config/filter.d/vsftpd.conf | 4 ++-- fail2ban/tests/files/logs/vsftpd | 11 ++++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 859a67c3..8b3047ca 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -10,10 +10,10 @@ before = common.conf [Definition] -__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? +__pam_re=(?:\(?%(__pam_auth)s(?:\(\S+\))?\)?:?\s+)? _daemon = vsftpd -failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ +failregex = ^%(__prefix_line)s%(__pam_re)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=(?:ftp)? ruser=\S* rhost=(?:\s+user=\S*)?\s*$ ^(?:\s*\[pid \d+\] |%(__prefix_line)s)\[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) ignoreregex = diff --git a/fail2ban/tests/files/logs/vsftpd b/fail2ban/tests/files/logs/vsftpd index ab51fd75..18f3879c 100644 --- a/fail2ban/tests/files/logs/vsftpd +++ b/fail2ban/tests/files/logs/vsftpd @@ -2,8 +2,8 @@ # failJSON: { "time": "2004-10-11T01:06:47", "match": true , "host": "209.67.1.67" } Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67 -# Pam pre 0.99.2.0 - https://github.com/fail2ban/fail2ban/pull/358 -# failJSON: { "time": "2005-02-06T12:02:29", "match": false , "host": "64.168.103.1" } +# Pam pre 0.99.2.0 - https://github.com/fail2ban/fail2ban/pull/358 (format is obsolete, can be removed, but still match right now) +# failJSON: { "time": "2005-02-06T12:02:29", "match": true , "host": "64.168.103.1", "desc": "obsolete, can be removed, but still match right now" } Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1 #2 Internal @@ -18,5 +18,10 @@ Thu Sep 8 00:39:49 2016 [pid 15019] [guest] FAIL LOGIN: Client "::ffff:192.0.2. # fileOptions: {"logtype": "journal"} -# failJSON: { "match": true , "host": "192.0.2.222" } +# failJSON: { "match": true , "host": "192.0.2.222", "desc": "gh-3954" } 2025-03-04T01:06:36.645577 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1658]: [username] FAIL LOGIN: Client "192.0.2.222" + +# failJSON: { "match": true , "host": "192.0.2.223", "desc": "gh-3954, more tests, without part `pam_unix(vsftpd:auth): ` (unknown if it is needed)" } +2025-03-04T01:06:37.123456 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1659]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.0.2.223 user=tester +# failJSON: { "match": true , "host": "192.0.2.224", "desc": "gh-3954, more tests, with part `pam_unix(vsftpd:auth): ` (unknown if it is needed, but it matches)" } +2025-03-04T01:06:38.123456 ip-172-31-3-150.ap-southeast-2.compute.internal vsftpd[1660]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.0.2.224 user=tester From 79346e4f2c8a1f43be0ea02657a4318eda7cec37 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 4 Mar 2025 14:15:14 +0100 Subject: [PATCH 6/6] updated ChangeLog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index b43aac80..bc9094d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8 several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782) - `ddos` and `aggressive` modes: regex extended for timeout before authentication (optional connection from part, gh-3907) +* `filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal, gh-3954) ### New Features and Enhancements * new jail option `skip_if_nologs` to ignore jail if no `logpath` matches found, fail2ban continue to start with warnings/errors,