vsftpd regex in /var/log/secure file

Hi,

On every vsftpd failed connection I see this in /var/log/secure:

Oct 5 06:23:37 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user hector
Oct 5 06:23:41 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 5 06:23:41 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=hector rhost=xx.xx.xx.xx

I have tried various regex expressions but haven't been able to match so I can get the {HOST_IP} of xx.xx.xx.xx

Can someone help here please?

Thanks.

Michael.

Tried a python regex

Hi,

This is the python regex I have tried, which matches everything I need (I believe):

"vsftpd-FailSyslog":
r'... .?\d \d\d:\d\d:\d\d \S{8} vsftpd: pam\Dunix\Dvsftpd:auth\D: .*? failure\D logname= uid=\d euid=\d tty=ftp ruser=.*? rhost={HOST_IP}$',

it was:

r'{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$',

but when I try to FTP in many times with failed attempts, blockhosts doesn't watch/block the IP.

I've spent some hours on this already and am no closer to resolving it.

Any help is appreciated.

Michael.

here's the pattern

    "vsftpd-pam-unix-Fail":
        r'{LOG_PREFIX{vstfpd}} pam_unix\(vsftpd:auth\): authentication failure; logname= .* rhost={HOST_IP}$'

Hi, Thanks for that pattern.

Hi,

Thanks for that pattern. I did add it into blockhosts.conf the day you posted it, so just had to wait till another attack happened.

Currently the attack is on-going and blockhosts is missing it (from /var/log/secure):

Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:10 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest
Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:10 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest
Oct 16 18:23:14 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 16 18:23:14 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:14 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest
Oct 16 18:23:15 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Oct 16 18:23:15 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81
Oct 16 18:23:15 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest

My vsftpd section in the blockhosts.conf file is:

"vsftpd-pam-unix-Fail":
r'{LOG_PREFIX{vstfpd}} pam_unix\(vsftpd:auth\): authentication failure; logname= .* rhost={HOST_IP}$',

"vsftpd-FailSyslog":
r'{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$',

# vsftpd.log line, uses different prefix, so no LOG_PREFIX used below:
"vsftpd-FailVsftpd":
r'... ... .?\d \d\d:\d\d:\d\d \d{4} .* FAIL LOGIN: Client "{HOST_IP}"$',

and my enabled rules line is:

ENABLE_RULES = r'(?i)(sshd|.*ftpd).*' # default (?i) for IGNORECASE matching

Any ideas what is wrong?

blockhosts does work for ssh attempts, just not for vsftpd.

Thanks.

pattern working or not?

1) Look at the hosts.allow file, does that file show the IP address in the blocked list?
if not, then there is probably a problem with the pattern, or blockhosts is not reading the log file (not configured, etc).

2) If the Ip address is there but vsftpd is not being blocked, then vsftpd is not using TCP WRAPPERS. there are other messages in this forum pointing out problems with older versions of vsftpd which does not exit but continues to allow login attempts for ever.

Hi, For 1., I think you've

Hi,

For 1., I think you've just found the problem. Yes it is part of the hosts.allow file and in checking my setup I realised vsftpd is running as it's own service and not through xinetd. I'm pretty sure that's the problem so I will change vsftpd now to run through xinetd which will use tcpwrappers and (hopefully) properly block these attempts.

If the problem persists after I make vsftpd run through xinetd then I'll go through the forums and see if the version I am running is too old. It's what comes with RHEL 5:

vsftpd-2.0.5-12.el5.x86_64

Thanks for your help.

regex don't catch this

Nov 5 03:41:10 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=219.94.131.160

Is the lack of [pid] making the difference? I have 2283 of those in my /var/log/secure that are being ignored.

never mind

Might help to notice the typo of vstfp in the regex and correct it. My bad.