1

The fail2ban vsftpd default config doesn't take care of blocking brute force requests when tls is enabled on vsftpd.
At the moment the vsftpd log only shows the below lines which don't match the regex. Does anyone have a good regex to take care of banning?

Fri Mar  3 19:56:16 2017 [pid 19866] CONNECT: Client "39.162.209.108"
Fri Mar  3 19:56:17 2017 [pid 19868] CONNECT: Client "39.162.209.108"
Thomas
  • 4,155
  • 5
  • 21
  • 28
James
  • 11
  • 1
  • 2
    Maybe this will get you started on a suiting regex: http://serverfault.com/questions/641442/fail2ban-does-not-ban-any-ip-adresses-with-vsftpd – Christoph Lösch Mar 04 '17 at 23:45
  • 1
    Possible duplicate of [Fail2ban does not ban any ip-adresses with vsftpd](http://serverfault.com/questions/641442/fail2ban-does-not-ban-any-ip-adresses-with-vsftpd) – iwaseatenbyagrue Mar 06 '17 at 08:28

1 Answers1

0

Got it. When implicit FTP is used the vsftpd logs don't display failures as they normally do if users attempt to login without SSL. I had to add the below to the vsftpd config file file.

log_ftp_protocol=YES

Then I added the below to fail2ban's filter for vsftpd.

Client "<HOST>", "530 Non-anonymous sessions must use encryption."
Client "<HOST>", "530 Anonymous sessions must use encryption."

This will catch users who aren't aware the encryption is needed but for us it is far more likely to catch the constant brute force traffic.

James
  • 11
  • 1