Differences

This shows you the differences between two versions of the page.

--- start:howto:fail2ban [2015/09/28 15:45]
mrpink [Installation]
+++ start:howto:fail2ban [2016/09/17 15:11]
flames
@@ Line 182: / Line 182: @@
 filter   = proftpd
 logpath  = /var/log/auth.log
+maxretry = 6
+[vsftpd]
+enabled  = true
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = vsftpd-custom
+logpath  = /var/log/vsftpd.log
 maxretry = 6
@@ Line 302: / Line 311: @@
 #
 ignoreregex =
+</code>
+----
+Restart fail2ban and test if all is working:
+# service fail2ban restart
+===== vsftpd =====
+Now create a new file **/etc/fail2ban/filter.d/vsftpd-fixed.conf** and copy the following content into the file:
+<code>
+# Fail2Ban filter for vsftp
+#
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
+[INCLUDES]
+before = common.conf
+[Definition]
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon =  vsftpd
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$
+ignoreregex =
+# Version from fail2ban wiki does't work, fixed version
 </code>

i-MSCP Documentation