Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Fail2ban

Featured Replies

i succeed to run fail2ban to ban vsftp brute force attacks. it will be nice to convert this to a plugin.

 

needed packages:

http://slackware.cs.utah.edu/pub/slackware/slackware64-14.1/slackware64/d/python-2.7.5-x86_64-1.txz (if you have python you can skip this)

http://repository.slacky.eu/slackware-12.1/system/fail2ban/0.8.3/fail2ban-0.8.3-noarch-1cv.tgz

http://slackware.org.uk/slacky/slackware64-14.1/libraries/geoip/1.5.1/geoip-1.5.1-x86_64-1sl.txz (optional)

 

put python and geoip to /boot/extra,

 

my go file to install&run fail2ban:

#Wait until array is started
until `cat /proc/mdcmd 2>/dev/null | grep -q -a "STARTED" ` ; do echo ">>>waiting..." ; sleep 5 ; done ; echo ">>>STARTED."

#fail2ban install. copy local files, run
installpkg /boot/custom/fail2ban-0.8.3-noarch-1cv.tgz | logger -t fail2ban
chmod 755 /etc/rc.d/rc.fail2ban
cp -r /boot/custom/fail2ban /etc
/etc/rc.d/rc.fail2ban start | logger -t fail2ban

 

a few modifications to vsftp.conf:

syslog_enable=NO
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
xferlog_file=/var/log/vsftpd.log

 

fail2ban advises not to change conf files. instead uses .local files for your changes.

i put my .local files to /boot/custom/fail2ban/ /boot/custom/fail2ban/action.d/ and /boot/custom/fail2ban/filter.d

make sure your .local files permissions are appropriate.

 

/fail2ban/jail.local:

# Fail2Ban configuration file

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = polling


# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false
filter   = vsftpd
action   = pushover-notify[name=VSFTPD]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 60

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           pushover-notify[name=VSFTPD]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 1800

 

/fail2ban/filter.d/vsftpd.local

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 658 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
            \S*\s*Client "<HOST>", "530 Permission denied."$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

 

/fail2ban/action.d/pushover-notify.local (to use pushover notification if you dont you have to modify jail.local):

# Fail2Ban configuration file
#

[Definition]
# Notify on Startup
actionstart = /usr/bin/curl -s -F "token=<token>"  -F "user=<user>" -F "title=Startup" -F "message=Jail <name> has been started successfully." https://api.pushover.net/1/messages
# Notify on Shutdown
actionstop = /usr/bin/curl -s -F "token=<token>"  -F "user=<user>" -F "title=Shutdown" -F "message=Jail <name> has been stopped." https://api.pushover.net/1/messages
# 
actioncheck = 
# Notify on Banned
actionban = /usr/bin/curl -s -F "token=<token>"  -F "user=<user>" -F "title=Banned <name>" -F "message=Banned IP: <ip> Attempts: <failures> `geoiplookup <ip>`" https://api.pushover.net/1/messages
# Notify on Unbanned
actionunban = /usr/bin/curl -s -F "token=<token>"  -F "user=<user>" -F "title=Unbanned <name>" -F "message=Unbanned IP: <ip> Attempts: <failures> `geoiplookup <ip>`" https://api.pushover.net/1/messages

[init]
# Defaut name of the chain
#
name = default

# Application token key
#
token = your_token_here

# User API key
#
user = your_api_key_here

 

after completing the steps either restart your server or manually install needed packages and run the lines we just added to the go file.

 

Some Impotant Notes:

- i cant find the latest compiled slackware package for fail2ban so this is not an up to date version.

- vsftp dont log wrong pass attemps properly (i guess this is an unraid issue i googled it but cant find anyhing). so with this setup and regex i can only ban wrong user attemps because of that i remove admin from vsftp users.

 

hope this will help somebody to install & run fail2ban and to develop a plugin.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.