# fail2ban and vsftpd

## aztech

By chance I just noticed that someone is trying to "hack" my ftpd.

I'm running vsftpd and also fail2ban.

fail2ban works just great for my sshd, but for some reason not for vsftpd.

```

[vsftpd-iptables]

enabled  = true

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

               mail-whois[name=VSFTPD, dest=root@localhost]

logpath = /var/log/auth.log

maxretry = 5

bantime  = 1800

```

and an extraction from auth.log

```

Feb  3 19:52:37 bionic vsftpd: pam_unix(ftp:auth): check pass; user unknown

Feb  3 19:52:37 bionic vsftpd: pam_unix(ftp:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=colette rhost=xx.xx.211.249

Feb  3 19:52:41 bionic vsftpd: pam_unix(ftp:auth): check pass; user unknown

Feb  3 19:52:41 bionic vsftpd: pam_unix(ftp:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=colette rhost=xx.xx.211.249

Feb  3 19:52:44 bionic vsftpd: pam_unix(ftp:auth): check pass; user unknown

Feb  3 19:52:44 bionic vsftpd: pam_unix(ftp:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=colette rhost=xx.xx.211.249

Feb  3 19:52:48 bionic vsftpd: pam_unix(ftp:auth): check pass; user unknown

Feb  3 19:52:48 bionic vsftpd: pam_unix(ftp:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=colette rhost=xx.xx.211.249

Feb  3 19:52:52 bionic vsftpd: pam_unix(ftp:auth): check pass; user unknown

.......... and so on ...

```

The regex ..

```

failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$

            \[.+\] FAIL LOGIN: Client "<HOST>"$

```

Mybe I'm just blind or something, but I cant se why this is not working.

anyone ?

BR

Andreas

----------

## artbody

logpath

must be the logfile of the watched program

in your case the logfile from the ftpdaemon  :Wink: 

```
[vsftpd-iptables]

enabled  = true

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

           mail-whois[name=VSFTPD, dest=root@localhost]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800
```

----------

## aztech

 *artbody wrote:*   

> logpath
> 
> must be the logfile of the watched program
> 
> in your case the logfile from the ftpdaemon 
> ...

 

Really ?

My vsftpd.log contains nothing more than actual transfers, nothing about auth, so I don't think so.

And as I posted before, all the "auth stuff" goes in the auth.log according to my syslog-ng settings.

----------

