Logdatei Proftp

  • Hat jemand eine Ahnung wohin Proftpd seine Failed Logs schreibt??


    Benutzt fail2ban, aber in die proftpd.log loggt er nicht, hab keine Ahnung wo sonst hin????


    Durch fail2ban werden IP- Adressen gesperrt die x Mal versuchen auf einen bestimmten Dienst zuzugreifen, in dem Fall auf den proftpd Dienst.
    Hab es mit der auth.log versucht, ging aber nicht da jede Aktion am Ftp- Client einem Eintrag verursacht und dadurch die IP- Adresse gesperrt wird.


    Sprich ich will nur das falsche Anmeldungen in der Datei gespeichert werden.


    Danke für die Hilfe

  • Hallo,


    ich wüsste jetzt nicht was gehen die auth.log spricht. fail2ban nutzt den Filter proftpd.conf, sofern richtig konfiguriert und dort werden nur die negativen Einträge getriggert. Erfolgreiche Logins werden von fail2ban ignoriert.


    Wenn das bei Dir nicht so sein sollte, ist bei fail2ban etwas falsch. Dazu benötigen wir aber mal Deine configs.


    Grüße
    Chris

  • Hier die jail.conf


    # Fail2Ban configuration file.
    #
    # This file was composed for Debian systems from the original one
    # provided now under /usr/share/doc/fail2ban/examples/jail.conf
    # for additional examples.
    #
    # To avoid merges during upgrades DO NOT MODIFY THIS FILE
    # and rather provide your changes in /etc/fail2ban/jail.local
    #
    # Author: Yaroslav O. Halchenko <debian@onerussian.com>
    #
    # $Revision: 281 $
    #


    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.


    [DEFAULT]


    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1
    findtime = 86400
    bantime = 1800
    maxretry = 3


    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    # This issue left ToDo, so polling is default backend for now
    backend = polling


    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = office@wolz.at


    #
    # ACTIONS
    #


    # Default banning action (e.g. iptables, iptables-new,
    # iptables-multiport, shorewall, etc) It is used to define
    # action_* variables. Can be overriden globally or per
    # section within jail.local file
    banaction = iptables-multiport


    # email action. Since 0.8.1 upstream fail2ban uses sendmail
    # MTA for the mailing. Change mta configuration parameter to mail
    # if you want to revert to conventional 'mail'.
    mta = sendmail


    # Default protocol
    protocol = tcp


    #
    # Action shortcuts. To be used to define action parameter


    # The simplest action to take: ban only
    action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]


    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
    %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]


    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
    %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]


    # Choose default action. To change, just override value of 'action' with the
    # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
    # globally (section [DEFAULT]) or per specific section
    action = %(action_)s


    #
    # JAILS
    #


    # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
    # was shipped in Debian. Enable any defined here jail by including
    #
    # [SECTION_NAME]
    # enabled = true


    #
    # in /etc/fail2ban/jail.local.
    #
    # Optionally you may override any other parameter (e.g. banaction,
    # action, port, logpath, etc) in that section within jail.local


    [ssh]


    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 4


    # Generic filter for pam. Has to be used with action which bans all ports
    # such as iptables-allports, shorewall
    [pam-generic]


    enabled = false
    # pam-generic filter can be customized to monitor specific subset of 'tty's
    filter = pam-generic
    # port actually must be irrelevant but lets leave it all for some possible uses
    port = all
    banaction = iptables-allports
    port = anyport
    logpath = /var/log/auth.log
    maxretry = 6


    [xinetd-fail]


    enabled = false
    filter = xinetd-fail
    port = all
    banaction = iptables-multiport-log
    logpath = /var/log/daemon.log
    maxretry = 2


    [ssh-ddos]


    enabled = true
    port = ssh
    filter = sshd-ddos
    logpath = /var/log/auth.log
    maxretry = 6


    #
    # HTTP servers
    #


    [apache]


    enabled = false
    port = http,https
    filter = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 6


    # default action is now multiport, so apache-multiport jail was left
    # for compatibility with previous (<0.7.6-2) releases
    [apache-multiport]


    enabled = true
    port = http,https
    filter = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 6


    [apache-noscript]


    enabled = false
    port = http,https
    filter = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 6


    [apache-overflows]


    enabled = false
    port = http,https
    filter = apache-overflows
    logpath = /var/log/apache*/*error.log
    maxretry = 2


    #
    # FTP servers
    #


    [vsftpd]


    enabled = false
    port = ftp,ftp-data,ftps,ftps-data
    filter = vsftpd
    logpath = /var/log/vsftpd.log
    # or overwrite it in jails.local to be
    # logpath = /var/log/auth.log
    # if you want to rely on PAM failed login attempts
    # vsftpd's failregex should match both of those formats
    maxretry = 6



    [proftpd]


    enabled = true
    port = ftp,ftp-data,ftps,ftps-data
    filter = proftpd
    logpath = /var/log/auth.log
    maxretry = 6



    [wuftpd]


    enabled = false
    port = ftp,ftp-data,ftps,ftps-data
    filter = wuftpd
    logpath = /var/log/auth.log
    maxretry = 6



    #
    # Mail servers
    #


    [postfix]


    enabled = true
    port = smtp,ssmtp
    filter = postfix
    logpath = /var/log/mail.log



    [couriersmtp]


    enabled = false
    port = smtp,ssmtp
    filter = couriersmtp
    logpath = /var/log/mail.log



    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #


    [courierauth]


    enabled = false
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = courierlogin
    [5~logpath = /var/log/mail.log



    [sasl]


    enabled = true
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = sasl
    # You might consider monitoring /var/log/warn.log instead
    # if you are running postfix. See http://bugs.debian.org/507990
    logpath = /var/log/mail.log



    # DNS Servers



    # These jails block attacks against named (bind9). By default, logging is off
    # with bind9 installation. You will need something like this:
    #
    # logging {
    # channel security_file {
    # file "/var/log/named/security.log" versions 3 size 30m;
    # severity dynamic;
    # print-time yes;
    # };
    # category security {
    # security_file;
    # };
    # };
    #
    # in your named.conf to provide proper logging


    # !!! WARNING !!!
    # Since UDP is connectionless protocol, spoofing of IP and immitation
    # of illegal actions is way too simple. Thus enabling of this filter
    # might provide an easy way for implementing a DoS against a chosen
    # victim. See
    # http://nion.modprobe.de/blog/a…-fail2ban-+-dns-fail.html
    # Please DO NOT USE this jail unless you know what you are doing.
    #[named-refused-udp]
    #
    #enabled = false
    #port = domain,953
    #protocol = udp
    #filter = named-refused
    #logpath = /var/log/named/security.log


    [named-refused-tcp]


    enabled = false
    port = domain,953
    protocol = tcp
    filter = named-refused
    logpath = /var/log/named/security.log

  • Hier die proftpd.conf aus der filters.de


    # Fail2Ban configuration file
    #
    # Author: Yaroslav Halchenko
    #
    # $Revision$
    #


    [Definition]


    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$
    \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$
    \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$
    \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$


    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =