This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
start:howto:fail2ban [2015/09/28 15:41] mrpink |
start:howto:fail2ban [2016/09/17 15:12] (current) flames [jail.local] |
||
---|---|---|---|
Line 10: | Line 10: | ||
First we need to install fail2ban via aptitude | First we need to install fail2ban via aptitude | ||
- | # aptitude update | + | |
- | # aptitude install fail2ban | + | # aptitude update && aptitude install fail2ban |
===== Configuration ===== | ===== Configuration ===== | ||
Line 182: | Line 182: | ||
filter = proftpd | filter = proftpd | ||
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
+ | maxretry = 6 | ||
+ | |||
+ | |||
+ | [vsftpd] | ||
+ | |||
+ | enabled = true | ||
+ | port = ftp,ftp-data,ftps,ftps-data | ||
+ | filter = vsftpd-fixed | ||
+ | logpath = /var/log/vsftpd.log | ||
maxretry = 6 | maxretry = 6 | ||
Line 302: | Line 311: | ||
# | # | ||
ignoreregex = | ignoreregex = | ||
+ | </code> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Restart fail2ban and test if all is working: | ||
+ | |||
+ | |||
+ | # service fail2ban restart | ||
+ | |||
+ | |||
+ | ===== vsftpd ===== | ||
+ | |||
+ | Now create a new file **/etc/fail2ban/filter.d/vsftpd-fixed.conf** and copy the following content into the file: | ||
+ | |||
+ | <code> | ||
+ | # Fail2Ban filter for vsftp | ||
+ | # | ||
+ | # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch | ||
+ | # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the | ||
+ | # incoming ip address rather than domain names. | ||
+ | |||
+ | [INCLUDES] | ||
+ | |||
+ | before = common.conf | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? | ||
+ | _daemon = vsftpd | ||
+ | |||
+ | failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ | ||
+ | ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$ | ||
+ | |||
+ | ignoreregex = | ||
+ | |||
+ | # Version from fail2ban wiki does't work, fixed version | ||
</code> | </code> | ||