Support for vsftpd Login Failures

[Riatsala]

I've had thousands of vsftpd login failures in the last few weeks. It would be great to be able to block the offending IPs.

Here's a few lines from /var/log/messages

Code: Select all

May  1 12:43:17 vps vsftpd(pam_unix)[11377]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=72.232.10.66  user=mysql

May 11 00:39:10 vps vsftpd(pam_unix)[22388]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160

May 25 19:59:54 vps vsftpd(pam_unix)[17806]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=65.204.255.101

If blocking these could be added to a future lfd update, I'd really appreciate it!

All the best,
Riatsala

[chirpy]

I'll look at adding these to regex.pm

[Riatsala]

Thanks chirpy.

[Riatsala]

Thanks for including this in the latest update. It's blocked a couple of IPs already!

I have noticed something strange while browsing the logs. It appears there are actually two types of attack, and only one is getting blocked.

Those who use a legitimate username but wrong password generate a single line in /var/log/messages like the one's above, and these are blocked perfectly.

Those who use an invalid username generate two lines in the log for each attempt, and for some reason they are ignored by lfd.

Code: Select all

May 29 05:02:38 vps vsftpd(pam_unix)[5398]: check pass; user unknown
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
May 29 05:02:46 vps vsftpd(pam_unix)[5442]: check pass; user unknown
May 29 05:02:46 vps vsftpd(pam_unix)[5442]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 
May 29 05:02:50 vps vsftpd(pam_unix)[5463]: check pass; user unknown
May 29 05:02:50 vps vsftpd(pam_unix)[5463]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160 

The second line is exactly the same format as those above, which is why I'm surprised lfd doesn't block it.

People trying to log in with an invalid username isn't much of a threat, so this isn't important, but I am curious to know why these attempts don't get blocked.

All the best,
Riatsala

[chirpy]

I'll check the regex and make sure those are blocked too.

[Com4]

Hi,

I've had thousands of vsftpd login failures the last couple of days and it seems that CSF is not blokking them:

vsftpd:
Unknown Entries:
check pass; user unknown: 2289 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator

**Unmatched Entries**
vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user

I could not find anything about this exept for this topic.

Any help in this case would be appreciated.

Thanks,

Dave

[chirpy]

You need to post the actual login failure log lines that you've configured lfd to scan.

[Sander]

Hi,

I have the same issues.

Several thousand lines in the secure log file like:

May 29 05:02:38 vps vsftpd(pam_unix)[5398]: check pass; user unknown
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160

Can you tell me what you mean with:

"You need to post the actual login failure log lines that you've configured lfd to scan"

Thanks,

Sander

[chirpy]

That's the line I need. That particular one isn't picked up by the regex at present. I'll add it to the dev list.

[Com4]

Hi,

The exact log lines are like this:

Jan 30 03:04:39 serv222 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user anonymous
Jan 30 03:05:10 serv222 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Jan 30 03:05:10 serv222 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=s5593f547.ad


Beside that vsftpd is using the /var/log/secure file to log these errors and not the
default /var/log/messages file that is configured in the csf config file

Thanks,

Dave