Score:0

Server

fail2ban not banning "matched" IPs from vsftp log

mathewCorn

7/9/23, 9:59 AM

Using fail2ban to secure the vsftp login:

jail.local

[vsftpd]
enabled = true
bantime  = 600
findtime  = 5000
maxretry = 1
port = ftp,ftp-data
action = iptables-multiport
logpath = /var/log/vsftpd/vsftpd.log

Regex is matching, as you can see here:

fail2ban-regex /var/log/vsftpd/vsftpd.log /etc/fail2ban/filter.d/vsftpd.conf --print-all-matched

Running tests
=============

Use   failregex filter file : vsftpd, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /var/log/vsftpd/vsftpd.log
Use         encoding : UTF-8


Results
=======

Failregex: 23 total
|-  #) [# of hits] regular expression
|   2) [23] ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [385] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 385 lines, 0 ignored, 23 matched, 362 missed
[processed in 0.03 sec]

|- Matched line(s):
|  Wed Mar  9 08:36:06 2022 [pid 2619415] [bla] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:13 2022 [pid 2619420] [bla] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:18 2022 [pid 2619422] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:30 2022 [pid 2619425] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:37 2022 [pid 2619508] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:45 2022 [pid 2619511] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:36:53 2022 [pid 2619514] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:47:39 2022 [pid 2620744] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:47:47 2022 [pid 2620746] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:47:55 2022 [pid 2620748] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:48:03 2022 [pid 2620763] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:48:12 2022 [pid 2620767] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:48:12 2022 [pid 2620766] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:07 2022 [pid 2621558] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:15 2022 [pid 2621560] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:23 2022 [pid 2621562] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:23 2022 [pid 2621564] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 08:55:26 2022 [pid 2621566] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:36:56 2022 [pid 2627379] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:48 2022 [pid 2627498] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:57 2022 [pid 2627500] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:57 2022 [pid 2627501] [blaas] FAIL LOGIN: Client "some_IP"
|  Wed Mar  9 09:37:58 2022 [pid 2627504] [blaas] FAIL LOGIN: Client "some_IP"
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 362 lines

Checking with fail2ban cli / fail2ban-client status vsftpd

Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Any idea what may cause this not banning the "matched" IPs / how to debug further?

0 + 0

regex

fail2ban

vsftpd

Score:0

Server

sebres

7/9/23, 1:10 PM

Any idea what may cause this not banning the "matched" IPs / how to debug further?

Wrong backend (if it is systemd by default on your system)? Try to specify backend = auto for this jail (it would automatically select file-related monitoring backend).

For other possible reasons see https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works

0 + 0

Colin

1/1/23, 8:39 PM

Thank you! This was my issue with trying to put a web app login fail ban together too. I had setup a new Ubuntu server with some existing fail2ban jails for ssh, etc but the default backend that they all use is apparently systemd. It wasn't all that obvious either from the fail2ban logs. I only noticed it after restarting the fail2ban service and it said it was looking at systemd for my jail even though I had a logpath setting, but no systemd settings for that rule. They could do with a better warning or even error in that case.

Score:0

Server

Nikita Kipriyanov

7/9/23, 1:30 PM

Why did you think it is not banning? The fact it is not banned now doesn't mean a jail doesn't work.

I see a specific pattern in your log for the jail blaas: six consecutive attempts, then some delay (of around 10 minutes), then exactly six attempts again, then some delay, then six attempts again...

This could be interpreted in two ways:

It bans for 10 minutes after 6 attempts. Then removes the ban.
You faced with a smart bot, which knows about fail2ban typical behaviour and is able to determine jail settings (how much attempts in which time period fires a ban). Such bots exist for a quite long time. So, it probably just tuned itself to not to trip the ban action.

To remedy those cases, you need to enable the recidive jail, which scans fail2ban's own log file, looks for addresses that were banned and unbanned too many times (for instance, five per day) and bans them for a long, like a whole month. In the second case, you also have to tighten up jail limits considerably, to be able to catch the bot with recidive before it has a chance to determine your jail setup.

Always read log file (perhaps /var/log/fail2ban.log), not a regex matching helper. That helper is designed precisely to debug matches, which cause a hit. It won't help to debug the banning behaviour when regex matchers are already debugged and work properly.

I re-read your question and noticed the jail definition: ban time is really set to 10 minutes. If I was able to determine it without looking at the settings, why bots can't?

0 + 0

sebres

7/9/23, 5:22 PM

Because it does not even find any failure (related to the status `Currently failed: 0` and `Total failed: 0` both mean it does not find anything)... And how it can at all if, again related to the status, due to `Journal matches` the jail seems to use backend `systemd`, which would never monitor log-files (it is monitoring systemd journal only)... Also note my answer above about `backend` parameter.

Nikita Kipriyanov

7/12/23, 5:53 AM

Where did you see the backend is `systemd`? Nothing is said about it in the configuration excerpt. The jail is configured with precise log file path. That'll be a stupid default to have, isn't it? I really expect to see `auto` there by default, and it is on all my systems.

sebres

7/12/23, 2:12 PM

Because otherwise `fail2ban-client status` would show `File list` with name of logpath, instead of `Journal matches`. Setting of `logpath` doesn't decide about that (many preconfigured jails have it too), only the `backend` does it. Just believe me, I'm dev of fail2ban more than 10 years.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: fail2ban not banning "matched" IPs from vsftp log

TH: fail2ban ไม่ห้าม IP ที่ "ตรงกัน" จากบันทึก vsftp

RO: fail2ban nu interzice IP-urile „potrivite” din jurnalul vsftp

RU: fail2ban не блокирует «совпадающие» IP-адреса из журнала vsftp

VI: fail2ban không cấm các IP "khớp" khỏi nhật ký vsftp

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.