Hallo,
vielleicht hat das der ein oder andere schon erlebt. Via Filezilla auf den FTP-Server verbunden, nach ein paar Verzeichniswechsel geht nichts mehr. IP gebannt. Verbunden wird via TLS.
Fail2ban loggt fleißig mit. Es greift der "pam-generic"-Filter.
Code
- Lines containing IP:555.555.555.555 in /var/log/auth.logJun 14 18:34:18 lol proftpd[26603]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.Jun 14 18:34:54 lol proftpd[26614]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.Jun 14 18:35:30 lol proftpd[28289]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.Jun 14 18:35:30 lol proftpd[28290]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.Jun 14 18:37:57 lol proftpd[28303]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.
Interessant ist, dass fail2ban hier "Login successful"-Meldungen loggt und dann bannt.
In der auth.log findet sich folgendes:
Code
- Jun 14 18:34:15 lol proftpd: pam_unix(proftpd:auth): check pass; user unknown
- Jun 14 18:34:15 lol proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd26603 [email protected] rhost=555.555.555.555
- Jun 14 18:34:18 lol proftpd[26603]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.
- Jun 14 18:34:47 lol postfix/smtpd[26605]: sql auxprop plugin using mysql engine
- Jun 14 18:34:47 lol postfix/smtpd[26605]: looking for plugins in '/usr/lib/sasl2', failed to open directory, error: No such file or directory
- Jun 14 18:34:48 lol postfix/smtpd[26611]: sql auxprop plugin using mysql engine
- Jun 14 18:34:48 lol postfix/smtpd[26611]: looking for plugins in '/usr/lib/sasl2', failed to open directory, error: No such file or directory
- Jun 14 18:34:52 lol proftpd: pam_unix(proftpd:auth): check pass; user unknown
- Jun 14 18:34:52 lol proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd28605 [email protected] rhost=555.555.555.555
- Jun 14 18:34:54 lol proftpd[26614]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.
- Jun 14 18:35:28 lol proftpd: pam_unix(proftpd:auth): check pass; user unknown
- Jun 14 18:35:28 lol proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd28609 [email protected] rhost=555.555.555.555
- Jun 14 18:35:28 lol proftpd: pam_unix(proftpd:auth): check pass; user unknown
- Jun 14 18:35:28 lol proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd28615 [email protected] rhost=555.555.555.555
- Jun 14 18:35:30 lol proftpd[28289]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.
- Jun 14 18:35:30 lol proftpd[28290]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.
- Jun 14 18:37:55 lol proftpd: pam_unix(proftpd:auth): check pass; user unknown
- Jun 14 18:37:55 lol proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd28617 [email protected] rhost=555.555.555.555
- Jun 14 18:37:57 lol proftpd[28303]: 123.123.123.123 (555.555.555.555[555.555.555.555]) - USER [email protected]: Login successful.
Interessant hier sind die Einträge:
- pam_unix(proftpd:auth): check pass; user unknown <---------- obwohl Benutzer bekannt, da über i-mscp angelegt
- looking for plugins in '/usr/lib/sasl2', failed to open directory, error: No such file or directory
Verwendet wird i-mscp 1.2.17 mit Jessie.
Danke.