Hi,
On every vsftpd failed connection I see this in /var/log/secure:
Oct 5 06:23:37 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user hector
Oct 5 06:23:41 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 5 06:23:41 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=hector rhost=xx.xx.xx.xx
I have tried various regex expressions but haven't been able to match so I can get the {HOST_IP} of xx.xx.xx.xx
Can someone help here please?
Thanks.
Michael.
Travel Travel reports, it is all about food
Montreal: Schwartz's, Le Petit Alep
Albums: Pictures and some notes
ITRANS Song Book Hindi, Urdu, Marathi song lyrics
Online ITRANS Web Interface
BlockHosts block hosts
BlockHosts FAQ
BlockHosts Forum
CD Inserts & Envelopes Web Interface
Nisha Ganatra's Films
Cake: starring Heather Graham
Email: avinash@aczoom.com
Copyright © 1995-2016 Avinash Chopde, avinash@aczoom.com
Tried a python regex
Hi,
This is the python regex I have tried, which matches everything I need (I believe):
"vsftpd-FailSyslog":
r'... .?\d \d\d:\d\d:\d\d \S{8} vsftpd: pam\Dunix\Dvsftpd:auth\D: .*? failure\D logname= uid=\d euid=\d tty=ftp ruser=.*? rhost={HOST_IP}$',
it was:
r'{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$',
but when I try to FTP in many times with failed attempts, blockhosts doesn't watch/block the IP.
I've spent some hours on this already and am no closer to resolving it.
Any help is appreciated.
Michael.
here's the pattern
"vsftpd-pam-unix-Fail": r'{LOG_PREFIX{vstfpd}} pam_unix\(vsftpd:auth\): authentication failure; logname= .* rhost={HOST_IP}$'Hi, Thanks for that pattern.
Hi,
Thanks for that pattern. I did add it into blockhosts.conf the day you posted it, so just had to wait till another attack happened.
Currently the attack is on-going and blockhosts is missing it (from /var/log/secure):
Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:10 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest
Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:10 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest
Oct 16 18:23:14 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 16 18:23:14 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:14 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest
Oct 16 18:23:15 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 16 18:23:15 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:15 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest
My vsftpd section in the blockhosts.conf file is:
"vsftpd-pam-unix-Fail":
r'{LOG_PREFIX{vstfpd}} pam_unix\(vsftpd:auth\): authentication failure; logname= .* rhost={HOST_IP}$',
"vsftpd-FailSyslog":
r'{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$',
# vsftpd.log line, uses different prefix, so no LOG_PREFIX used below:
"vsftpd-FailVsftpd":
r'... ... .?\d \d\d:\d\d:\d\d \d{4} .* FAIL LOGIN: Client "{HOST_IP}"$',
and my enabled rules line is:
ENABLE_RULES = r'(?i)(sshd|.*ftpd).*' # default (?i) for IGNORECASE matching
Any ideas what is wrong?
blockhosts does work for ssh attempts, just not for vsftpd.
Thanks.
pattern working or not?
1) Look at the hosts.allow file, does that file show the IP address in the blocked list?
if not, then there is probably a problem with the pattern, or blockhosts is not reading the log file (not configured, etc).
2) If the Ip address is there but vsftpd is not being blocked, then vsftpd is not using TCP WRAPPERS. there are other messages in this forum pointing out problems with older versions of vsftpd which does not exit but continues to allow login attempts for ever.
Hi, For 1., I think you've
Hi,
For 1., I think you've just found the problem. Yes it is part of the hosts.allow file and in checking my setup I realised vsftpd is running as it's own service and not through xinetd. I'm pretty sure that's the problem so I will change vsftpd now to run through xinetd which will use tcpwrappers and (hopefully) properly block these attempts.
If the problem persists after I make vsftpd run through xinetd then I'll go through the forums and see if the version I am running is too old. It's what comes with RHEL 5:
vsftpd-2.0.5-12.el5.x86_64
Thanks for your help.
regex don't catch this
Nov 5 03:41:10 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=219.94.131.160
Is the lack of [pid] making the difference? I have 2283 of those in my /var/log/secure that are being ignored.
never mind
Might help to notice the typo of vstfp in the regex and correct it. My bad.