July 11, 201510 yr i succeed to run fail2ban to ban vsftp brute force attacks. it will be nice to convert this to a plugin. needed packages: http://slackware.cs.utah.edu/pub/slackware/slackware64-14.1/slackware64/d/python-2.7.5-x86_64-1.txz (if you have python you can skip this) http://repository.slacky.eu/slackware-12.1/system/fail2ban/0.8.3/fail2ban-0.8.3-noarch-1cv.tgz http://slackware.org.uk/slacky/slackware64-14.1/libraries/geoip/1.5.1/geoip-1.5.1-x86_64-1sl.txz (optional) put python and geoip to /boot/extra, my go file to install&run fail2ban: #Wait until array is started until `cat /proc/mdcmd 2>/dev/null | grep -q -a "STARTED" ` ; do echo ">>>waiting..." ; sleep 5 ; done ; echo ">>>STARTED." #fail2ban install. copy local files, run installpkg /boot/custom/fail2ban-0.8.3-noarch-1cv.tgz | logger -t fail2ban chmod 755 /etc/rc.d/rc.fail2ban cp -r /boot/custom/fail2ban /etc /etc/rc.d/rc.fail2ban start | logger -t fail2ban a few modifications to vsftp.conf: syslog_enable=NO log_ftp_protocol=YES xferlog_enable=YES xferlog_std_format=NO xferlog_file=/var/log/vsftpd.log fail2ban advises not to change conf files. instead uses .local files for your changes. i put my .local files to /boot/custom/fail2ban/ /boot/custom/fail2ban/action.d/ and /boot/custom/fail2ban/filter.d make sure your .local files permissions are appropriate. /fail2ban/jail.local: # Fail2Ban configuration file [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = polling # Do not ban anybody. Just report information about the remote host. # A notification is sent at most every 600 seconds (bantime). [vsftpd-notification] enabled = false filter = vsftpd action = pushover-notify[name=VSFTPD] logpath = /var/log/vsftpd.log maxretry = 3 bantime = 60 # Same as above but with banning the IP address. [vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] pushover-notify[name=VSFTPD] logpath = /var/log/vsftpd.log maxretry = 3 bantime = 1800 /fail2ban/filter.d/vsftpd.local # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 658 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}?(?P<host>\S+) # Values: TEXT # failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ \[.+\] FAIL LOGIN: Client "<HOST>"\s*$ \S*\s*Client "<HOST>", "530 Permission denied."$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = /fail2ban/action.d/pushover-notify.local (to use pushover notification if you dont you have to modify jail.local): # Fail2Ban configuration file # [Definition] # Notify on Startup actionstart = /usr/bin/curl -s -F "token=<token>" -F "user=<user>" -F "title=Startup" -F "message=Jail <name> has been started successfully." https://api.pushover.net/1/messages # Notify on Shutdown actionstop = /usr/bin/curl -s -F "token=<token>" -F "user=<user>" -F "title=Shutdown" -F "message=Jail <name> has been stopped." https://api.pushover.net/1/messages # actioncheck = # Notify on Banned actionban = /usr/bin/curl -s -F "token=<token>" -F "user=<user>" -F "title=Banned <name>" -F "message=Banned IP: <ip> Attempts: <failures> `geoiplookup <ip>`" https://api.pushover.net/1/messages # Notify on Unbanned actionunban = /usr/bin/curl -s -F "token=<token>" -F "user=<user>" -F "title=Unbanned <name>" -F "message=Unbanned IP: <ip> Attempts: <failures> `geoiplookup <ip>`" https://api.pushover.net/1/messages [init] # Defaut name of the chain # name = default # Application token key # token = your_token_here # User API key # user = your_api_key_here after completing the steps either restart your server or manually install needed packages and run the lines we just added to the go file. Some Impotant Notes: - i cant find the latest compiled slackware package for fail2ban so this is not an up to date version. - vsftp dont log wrong pass attemps properly (i guess this is an unraid issue i googled it but cant find anyhing). so with this setup and regex i can only ban wrong user attemps because of that i remove admin from vsftp users. hope this will help somebody to install & run fail2ban and to develop a plugin.
Archived
This topic is now archived and is closed to further replies.