He guys, i run CentOS5.6 (final), and i just installed FAIL2BAN version (0.8.4-23.el5).
I have set it up to ban SSH and VSFTPD attacks.
As you can see here: http://pastebin.com/RLyzGgBe fail2ban has started correctly, inspecting 2 logs files. I checked the paths, both are correct.
Now fail2ban has already blocked a few SSH intruders, but it does not seem to wanna block VSFTPD intruders.
When i check the vsftpd logs in realtime, some ips keep slamming my server with wrong logins about every second. So those guys should have been banned already.
I tested fail2ban's vsftpd feature with this command: fail2ban-regex /var/log/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf
It all seems to be working just fine, output of the test: http://pastebin.com/gQsLjZhX
I already tried: use_localtime=YES
and dual_log_enable=YES
in vsftpd.conf
fail2ban.conf: http://pastebin.com/rQadAxXc
jail.conf: http://pastebin.com/u5ePLXMQ (vsftpd part)
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$
Does anyone know why fail2ban is not banning my vsftpd attackers?
Best Answer
I managed to get it working by using: /var/log/secure also for the VSFTPD log reading. Although the normal VSFTPD logs should also work, as they output similar data. The real problem here must be the failregex. But with the /var/log/secure it works.