Modification de Fail2Ban pour proftpd avec accès anonyme

Modification de Fail2Ban pour proftpd avec accès anonyme

Si votre serveur ftp ProFtpd dispose d’un accès anonyme, lors d’une attaque si l’authentification échoue le serveur va ouvrir le compte anonymes. Ainsi dans /var/log/xferlog il apparait :

Mar 17 22:48:43 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): FTP session opened.
Mar 17 22:48:44 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): no such user 'Administrator'
Mar 17 22:48:44 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): USER Administrator: no such user found from ::ffff:219.140.61.17 [::ffff:219.140.61.17] to ::ffff:192.168.1.253:21
Mar 17 22:48:45 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): no such user 'Administrator'
Mar 17 22:48:45 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): USER Administrator: no such user found from ::ffff:219.140.61.17 [::ffff:219.140.61.17] to ::ffff:192.168.1.253:21
Mar 17 22:48:46 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): no such user 'Administrator'
Mar 17 22:48:46 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): USER Administrator: no such user found from ::ffff:219.140.61.17 [::ffff:219.140.61.17] to ::ffff:192.168.1.253:21
Mar 17 22:48:46 ubuntuserv proftpd[29240] ubuntuserv.lan (::ffff:219.140.61.17[::ffff:219.140.61.17]): Maximum login attempts (3) exceeded, connection refused

(tiens j’en profite pour balancer un adresse IP qui fait de la force-brute… Christine Albanel va pouvoir en faire quelque chose!)

ces lignes ne correspondent à aucune des règles fournies dans /etc/fail2ban/filter.d/proftpd.conf. Voici une nouvelle règle à ajouter dans le fichier proftpd.conf:

\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found.$

Ainsi le fichier complet devient:

<pre># Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
           \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
           \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
           \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
           \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): No such user found.$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
</pre>

Mise à jour 5-07-2009: si fail2ban a des problème pour reconnaitre ces attaques dans les logs vérifier que vous ne modifiez pas leur format avec une instruction de type logformat dans /etc/proftpd/proftpd.conf reseemblant à:

LogFormat write "%h %l %u %t \"%r\" %s %b"

de nombreux exemples de configuration de proftpd sur le net modifient le format des fichiers de log….