БЛОГ НА HUSL


Fail2ban не работает с proftpd. Не банит ботов

Автор вопроса: Milana

Как настроить работу fail2ban с proftpd? fail2ban хорошо работает с dovecot, exim, sshd с настройками по умолчанию. Банит ip Подключила proftpd. Не банит ботов. Сервер centos 7

Пример лога \var\log\proftpd\proftpd.log

2022-06-09 12:43:57,566 v247654 proftpd[7420] 0.0.0.0 (141.98.10.42[141.98.10.42]): SSH2 session opened.
2022-06-09 12:44:01,353 v247654 proftpd[7420] 0.0.0.0 (141.98.10.42[141.98.10.42]): crypt(3) failed: Invalid argument
2022-06-09 12:44:01,354 v247654 proftpd[7420] 0.0.0.0 (141.98.10.42[141.98.10.42]): USER bin (Login failed): Incorrect password
2022-06-09 12:44:02,759 v247654 proftpd[7420] 0.0.0.0 (141.98.10.42[141.98.10.42]): SSH2 session closed.
2022-06-09 12:58:47,040 v247654 proftpd[8174] 0.0.0.0 (141.98.10.42[141.98.10.42]): SSH2 session opened.
2022-06-09 12:58:50,604 v247654 proftpd[8174] 0.0.0.0 (141.98.10.42[141.98.10.42]): USER abc123: no such user found from 141.98.10.42 [141.98.10.42] to ::ffff:178.208.37.28:2222
2022-06-09 12:58:51,371 v247654 proftpd[8174] 0.0.0.0 (141.98.10.42[141.98.10.42]): SSH2 session closed.
2022-06-09 13:13:47,447 v247654 proftpd[8862] 0.0.0.0 (141.98.10.42[141.98.10.42]): SSH2 session opened.
2022-06-09 13:13:50,730 v247654 proftpd[8862] 0.0.0.0 (141.98.10.42[141.98.10.42]): USER admin: no such user found from 141.98.10.42 [141.98.10.42] to ::ffff:178.208.37.28:2222
2022-06-09 13:13:51,416 v247654 proftpd[8862] 0.0.0.0 (141.98.10.42[141.98.10.42]): SSH2 session closed.
2022-06-09 13:28:39,057 v247654 proftpd[9755] 0.0.0.0 (141.98.10.42[141.98.10.42]): SSH2 session opened.
2022-06-09 13:28:40,913 v247654 proftpd[9755] 0.0.0.0 (141.98.10.42[141.98.10.42]): USER root (Login failed): Incorrect password

Настройки proftpd в etc\fail2ban\jail.local

[proftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

Настройки proftpd в etc\fail2ban\filter.d\proftpd.conf

[INCLUDES]

before = common.conf

[Definition]

_daemon = proftpd

__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)


prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$


failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
            ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
            ^Maximum login attempts \(\d+\) exceeded

ignoreregex = 

[Init]
journalmatch = _SYSTEMD_UNIT=proftpd.service

Источник

Ответы (0 шт):

licensed under cc by-sa 3.0 with attribution.