HomeForumsBlockHosts

pam_unix(vsftpd:auth) regexp

Fri, 2008–Oct–10

Oct 10 14:21:03 office vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=12 rhost=designer4.*.*a.ua

What regexp i need to use for this?
Help please.

‹ Regex for dovecot Has anybody experience in blocking spammer (UBE) ips from maillog? ›
Fri, 2008-10-17 21:05 — ac

see other forum message?

forums/blockhosts/vsftpd-regex-in-var-log-secure-file#comment-3968 is probably what you are looking for.

Fri, 2009-03-13 10:29 — Dave Hill (not verified)

Re: pam_unix(vsftpd:auth) regexp

I see the same problem as this - the "rhost" bit of the line is looked up in the DNS, so if it can be resolved then it is replaced by the name. BlockHosts will not work in this situation.

Compare these two lines:

Mar 11 03:08:09 support vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=netaddr203-81-56-212.8toinfinity.com.sg

Mar 11 21:48:31 support vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=60.18.168.108

The second one works, the first one does not.

Dave

Fri, 2009-03-13 10:55 — Dave Hill (not verified)

Aha, fixed it.

The way to fix this is (of course) to use the native vsftpd.log, then the normal "FAIL LOGIN" entries will catch it.

I was wondering why this log file doesn't exist when using the default configuration that seems to come with RHEL/CentOS machines, all you get is /var/log/xferlog and the entries from pam in /var/log/secure, so I read the man page for vsftpd.conf!!

A quick way to fix this is to use the option "dual_log_enable=YES" which turns on the native vsftpd.log as well as the xferlog, then make sure your blockhosts config file says:

LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ]

Dave