Fli
07-17-2020, 08:01 AM
I am on CentOS 7 and was wondering how to enable vsftpd protection and prevent successfull brute force attack on FTP port 21.
I think i succeeded. Here is what i did:
On official f2b "Vsftpd" wiki page (https://www.fail2ban.org/wiki/index.php/Vsftpd) i read i should try following command to test fail2ban filter (/etc/fail2ban/filter.d/vsftpd.conf) against my vsftpd log file:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf
i think it should display some matches: "Lines: 1849 lines, 0 ignored, 11 matched, 1838 missed"
(Maybe your vsftpd log entries are not in secure log but in vsftpd.log)
Since i got matches i was thinking that the filter works so i went ahead to enable blocking in f2b.
/etc/fail2ban/fail2ban.conf does not suggest any easy way to enable vsftpd and it states i should use .local file instead of this .conf.
ls -A1 /etc/fail2ban
/etc/fail2ban/jail.local was the only .local file in /etc/fail2ban/
And this is its content after i inserted vsftpd jail (
nano /etc/fail2ban/jail.local):
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=root, sender=fail2ban]
logpath = /var/log/secure
maxretry = 20
bantime = -1
then i test configuration:
fail2ban-client -t
then i reload f2b to apply the configuration change (enable vsftpd jail):
service fail2ban reload;fail2ban-client status
it shows that the vsftpd protection is active
I think i succeeded. Here is what i did:
On official f2b "Vsftpd" wiki page (https://www.fail2ban.org/wiki/index.php/Vsftpd) i read i should try following command to test fail2ban filter (/etc/fail2ban/filter.d/vsftpd.conf) against my vsftpd log file:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf
i think it should display some matches: "Lines: 1849 lines, 0 ignored, 11 matched, 1838 missed"
(Maybe your vsftpd log entries are not in secure log but in vsftpd.log)
Since i got matches i was thinking that the filter works so i went ahead to enable blocking in f2b.
/etc/fail2ban/fail2ban.conf does not suggest any easy way to enable vsftpd and it states i should use .local file instead of this .conf.
ls -A1 /etc/fail2ban
/etc/fail2ban/jail.local was the only .local file in /etc/fail2ban/
And this is its content after i inserted vsftpd jail (
nano /etc/fail2ban/jail.local):
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=root, sender=fail2ban]
logpath = /var/log/secure
maxretry = 20
bantime = -1
then i test configuration:
fail2ban-client -t
then i reload f2b to apply the configuration change (enable vsftpd jail):
service fail2ban reload;fail2ban-client status
it shows that the vsftpd protection is active