Bug#648276: fail2ban not block attackers to proftpd with default config file /filter.d/proftpd.conf

Wed, 09 Nov 2011 23:15:19 -0800 

Package: fail2ban
Version: 0.8.4-3
Severity: normal


Default config file (/filter.d/proftpd.conf) need a comment about it. Because 
regexp in it is written for parse syslog format data.
But default configuration of proftpd is to write logs into a separate file like 
/var/log/proftpd/proftpd.log.

But in this file date format very different from syslog date format. Therefore 
fail2ban not work by default install and not defence proftpd by default.

Config file jail.conf also have an issue. Jail [proftpd] must have an syslog 
file like /var/log/syslog.

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fail2ban depends on:
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  python                  2.6.6-3+squeeze6 interactive high-level object-orie
ii  python-central          0.6.16+nmu1      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.8-3    administration tools for packet fi
ii  whois                         5.0.10     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20100314cvs-1 simple mail user agent
ii  mailx              1:20071201-3          Transitional package for mailx ren
pn  python-gamin       <none>                (no description available)

-- Configuration Files:
/etc/fail2ban/filter.d/proftpd.conf changed:
[Definition]
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ 
\[\S+\] to \S+:\S+ *$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
ignoreregex = 

/etc/fail2ban/jail.conf changed:
[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0
maxretry = 6
bantime = 31536000
backend = polling
destemail = ad...@tech-club.ru
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", 
protocol="%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", 
protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", 
protocol="%(protocol)s]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", 
protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", 
logpath=%(logpath)s]
 
action = %(action_)s
[ssh]
enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 4
                        # one year - 365 days
bantime = 31536000
                        # 1 week
findtime = 604800
ignoreip = 127.0.0.1 192.168.0.0/24
[pam-generic]
enabled = false
filter  = pam-generic
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2
[ssh-ddos]
enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6
[apache]
enabled = false
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6
[apache-noscript]
enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[vsftpd]
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled  = true
port     = ftp,ftp-data
filter   = proftpd
logpath  = /var/log/auth.log
                        # 5 attempts, also add the MaxLoginAttempts 5 parametr 
to the proftpd.conf
maxretry = 6
                        # one year - 365 days
bantime = 100
                        # 1 week
findtime = 604800
ignoreip = 127.0.0.1 192.168.0.0/24
[wuftpd]
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6
[postfix]
enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
[couriersmtp]
enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log
[courierauth]
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log
[sasl]
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log
[named-refused-tcp]
enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log


-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to