I am on CentOS 7 and was wondering how to enable vsftpd protection and prevent successfull brute force attack on FTP port 21.

I think i succeeded. Here is what i did:

On official f2b "Vsftpd" wiki page i read i should try following command to test fail2ban filter (/etc/fail2ban/filter.d/vsftpd.conf) against my vsftpd log file:

Code:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf
i think it should display some matches: "Lines: 1849 lines, 0 ignored, 11 matched, 1838 missed"

(Maybe your vsftpd log entries are not in secure log but in vsftpd.log)

Since i got matches i was thinking that the filter works so i went ahead to enable blocking in f2b.

/etc/fail2ban/fail2ban.conf does not suggest any easy way to enable vsftpd and it states i should use .local file instead of this .conf.

Code:
ls -A1 /etc/fail2ban
/etc/fail2ban/jail.local was the only .local file in /etc/fail2ban/

And this is its content after i inserted vsftpd jail (
Code:
nano /etc/fail2ban/jail.local
):

Code:
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure

[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=root, sender=fail2ban]
logpath = /var/log/secure
maxretry = 20
bantime = -1
then i test configuration:
Code:
fail2ban-client -t
then i reload f2b to apply the configuration change (enable vsftpd jail):

Code:
service fail2ban reload;fail2ban-client status
it shows that the vsftpd protection is active