Si votre serveur ftp ProFtpd dispose d’un accès anonyme, lors d’une attaque si l’authentification échoue le serveur va ouvrir le compte anonymes. Ainsi dans /var/log/xferlog il apparait :
Mar 17 22:48:43 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): FTP session opened. Mar 17 22:48:44 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): no such user 'Administrator' Mar 17 22:48:44 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): USER Administrator: no such user found from ::ffff:219.140.61.17 [::ffff:219.140.61.17] to ::ffff:192.168.1.253:21 Mar 17 22:48:45 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): no such user 'Administrator' Mar 17 22:48:45 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): USER Administrator: no such user found from ::ffff:219.140.61.17 [::ffff:219.140.61.17] to ::ffff:192.168.1.253:21 Mar 17 22:48:46 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): no such user 'Administrator' Mar 17 22:48:46 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): USER Administrator: no such user found from ::ffff:219.140.61.17 [::ffff:219.140.61.17] to ::ffff:192.168.1.253:21 Mar 17 22:48:46 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): Maximum login attempts (3) exceeded, connection refused
(tiens j’en profite pour balancer un adresse IP qui fait de la force-brute… Christine Albanel va pouvoir en faire quelque chose!)
ces lignes ne correspondent à aucune des règles fournies dans /etc/fail2ban/filter.d/proftpd.conf. Voici une nouvelle règle à ajouter dans le fichier proftpd.conf:
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found.$
Ainsi le fichier complet devient:
<pre># Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 677 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found.$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = </pre>
Mise à jour 5-07-2009: si fail2ban a des problème pour reconnaitre ces attaques dans les logs vérifier que vous ne modifiez pas leur format avec une instruction de type logformat dans /etc/proftpd/proftpd.conf reseemblant à:
LogFormat write "%h %l %u %t \"%r\" %s %b"
de nombreux exemples de configuration de proftpd sur le net modifient le format des fichiers de log….