On Thu, 21 Dec 2006 23:58:37 -0500 Yaroslav Halchenko <[EMAIL PROTECTED]> wrote:
> Hi > > It seems that Debian shipped vsftp comes with pam support which gets > enabled if you enable local_enable option It comes with pam support for local users (sorry I didn't express myself correctly) but not for non-local users. "local_enable" has always been enabled, because it's necessary for the non-local users to login (besides some other things). Internally, vsftpd mapps all those users to "virtual" (or whatever name you give), a non-privileged user. > > then I start getting auth.log entries like > Dec 21 23:37:06 belka vsftpd: (pam_unix) authentication failure; logname= > uid=0 euid=0 tty=ftp ruser=yoh rhost=165.230.95.67 user=yoh > which would match failregex as it was shipped in 0.7 > > and corresponding vsftpd.log line > Thu Dec 21 23:37:08 2006 [pid 22501] [yoh] FAIL LOGIN: Client "165.230.95.67" > > so you must be using some non-standard setup to don't trigger log > entries in auth.log. > ok - I would join both failregexes into 1, so depending on the file used > and setup one or another would be used ;-) > > Tentative version is here > http://itanix.rutgers.edu/rumba/dists/sid/perspect/binary-all/net/fail2ban_0.7.5-3~pre2_all.deb > Please give it a try so I am sure that failregex works before I upload > it to debian > 0.7.5-3-pre1 worked fine with failregex failregex = \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$ The actual one (0.7.5-3-pre2) is not working: failregex = (?:vsftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>|\[.+\] FAIL LOGIN: Client "<HOST>")$ I can't think of any change I've made to have such a "non-standard" setup. The custom vsftpd I'm using is the same I had with fail2ban 0.6, when I've already told you it was working ok. Could it be a change in PAM logging? Think I had to install libpam0g-dev in order to make non-local users logins to work... maybe an update of that package? Don't know if I'm saying dumb things... ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
