In questo log vsftpd registra le operazioni di trasferimento dati, upload e download.
Il filter che ho adottato per questo log è il seguente:
Originariamente inviato da filter.d/vsftpd-xferlog.conf
codice HTML:
# Fail2Ban configuration file
#
# Author: Matteo Fracassetti
#
# $Revision: 001 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \d+ <HOST> \d+ [(?:\|\/)\.+]{3,}.*$
\d+ <HOST> \d+ .*etc.*passwd .*$
\d+ <HOST> \d+ .*boot.ini .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Praticamente tutte le regex sono ispirate alle registrazioni che ho trovato sempre generate da uno scanner o, più probabilmente, un bot relative a tentativi vari di accesso al file /etc/passwd o ad un file "boot.ini"...
La prima in particolare, dovrebbe matchare la presenza di due o più ripetizioni della sequenza di caratteri costituita da una o più "\" oppure una o più "/" seguite da uno o più "."
codice:
Sun Aug 19 22:53:56 2012 1 83.139.194.70 0 /etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:53:57 2012 1 83.139.194.70 0 /..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:53:59 2012 1 83.139.194.70 0 /../\../\../\../\../\../\../\../\../\../\../\../\etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:00 2012 1 83.139.194.70 0 /..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:02 2012 1 83.139.194.70 0 /..///..///..///..///..///..///..///..///..///..///..///..///etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:03 2012 1 83.139.194.70 0 /etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:05 2012 1 83.139.194.70 0 /../\/../\/../\/../\/../\/../\/../\/../\/../\/../\/../\/../\/etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:06 2012 1 83.139.194.70 0 /./.././.././.././.././.././.././.././.././.././.././.././../etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:08 2012 1 83.139.194.70 0 /etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:09 2012 1 83.139.194.70 0 /.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:11 2012 1 83.139.194.70 0 /../../../../../../../../../../../../etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:13 2012 1 83.139.194.70 0 /etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:15 2012 1 83.139.194.70 0 /\..\..\..\..\..\..\..\..\..\..\..\..\etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:16 2012 1 83.139.194.70 0 /.../etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:18 2012 1 83.139.194.70 0 /.../etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:23 2012 1 83.139.194.70 0 /....../etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:24 2012 1 83.139.194.70 0 /\.../etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:26 2012 1 83.139.194.70 0 /...\etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:27 2012 1 83.139.194.70 0 /..../etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:54:29 2012 1 83.139.194.70 0 /C:\etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:53:56 2012 1 83.139.194.70 0 /boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:53:57 2012 1 83.139.194.70 0 /..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:53:59 2012 1 83.139.194.70 0 /../\../\../\../\../\../\../\../\../\../\../\../\boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:00 2012 1 83.139.194.70 0 /..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:02 2012 1 83.139.194.70 0 /..///..///..///..///..///..///..///..///..///..///..///..///boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:03 2012 1 83.139.194.70 0 /boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:05 2012 1 83.139.194.70 0 /../\/../\/../\/../\/../\/../\/../\/../\/../\/../\/../\/../\/boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:06 2012 1 83.139.194.70 0 /./.././.././.././.././.././.././.././.././.././.././.././../boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:08 2012 1 83.139.194.70 0 /boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:09 2012 1 83.139.194.70 0 /.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\.\..\boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:12 2012 1 83.139.194.70 0 /../../../../../../../../../../../../boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:13 2012 1 83.139.194.70 0 /boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:15 2012 1 83.139.194.70 0 /\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini a _ o a ftp 0 * i
Sun Aug 19 22:54:16 2012 1 83.139.194.70 0 /.../boot.ini a _ o a ftp 0 * i
Non è decisamente perfetta, matcha delle occorrenze che non capisco... Ad esempio, impostando a "{2,}" il valore delle ripetizioni minime delle occorrenze rilevate venivano matchate anche queste righe:
codice:
Sun Aug 19 22:51:38 2012 1 83.139.194.70 0 /.forward a _ o a ftp 0 * i
Sun Aug 19 22:51:38 2012 1 83.139.194.70 0 /.rhosts a _ o a ftp 0 * i
Questi match scompaiono se si porta a il valore a 3 ma non ho ancora capito perchè...
E poi devo trovare il modo di matchare anche questo:
codice:
Sun Aug 19 22:53:45 2012 1 83.139.194.70 0 /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd a _ o a ftp 0 * i
Sun Aug 19 22:53:45 2012 1 83.139.194.70 0 /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/boot.ini a _ o a ftp 0 * i