help? ftp attack not being caught

Lately, I've noticed THOUSANDS of attempts on invalid accounts. Here's what is in the log:

Oct 25 22:54:15 ****** vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhos
t=66.209.39.3

Did they change the error text in the latest vsftpd? Can someone help me fix this?

vsftpd configuration?

The only type of log lines that blockhosts catches is:
Wed Feb 1 07:15:54 2006 [pid 8860] [bbbb] FAIL LOGIN: Client "127.0.0.1"
for vsftpd

But, vsftpd configuration may not be starting a new vsftpd process after failed logins, check process-ids of the thousands of lines you see in your logs, if they are the same, not much can be done with blockhosts.

no such luck, my friend

The log entries you expect are not being generated. Yes, new PIDs are created for every 3 attempts (per my "max_login_fails=3" setting). And I did find a posting from someone else in the forum for a pattern that should match. However, that causes "ERROR: exiting: Config file Error: found invalid/unneeded definition: "VSFTPD-Fail"" to occur, and so nothing gets caught. I'm sure I'm missing something quite simple, but I'm not seeing it.

Pattern name, and python indenting

Change the name of the pattern, if you are not removing the existing VSFTPD-Fail pattern, and make sure the python indentation is correct in the file - spaces are very important!

According to a recently posted comment to this forum topic, vsftpd does work with the default blockhosts.py rules, no changes needed, other than vsftpd configuration: vsftpd-not-well-suited-to-tcpd-wrappers

read carefully

vsftpd 2.05 has not yet made it to the FC5 updates. I'm running FC5 and manually updated to vsftpd 2.05 to get the built-in fail limit.

I did commect out the other VSFTPD-Fail pattern, and did look at the overall format, but didn't count actual spaces. copy/paste from a web page can sure mess that up, so I'll go recheck it. Thanks.

still need help with vsftpd

In 1 day, 761 separate connections with 2283 attempts on user Administrator. The blockhosts.py script is being run on FTP connections, but it is not finding log entries that match the given filter. My initial posting in this thread shows the only log entry format that results from a failed attempt. I did find a filter in another thread that should have worked, but it's somehow not formatted properly and prevents the blockhosts.py script from doing anything other than generating an error message. At least these failed attempts are all on invalid users, but I'd still like to have the right filter in place to catch this if they start on any valid user names.