Anyone using CSF/LFD firewall with Virtualmin?

Hello,

Is anyone here using CSF firewall with the LFD module enabled for blocking failed login attempts?
I have LFD enabled but it not seem to block the FTP failed logins.
Can someone please share his/hers FTP regex as the default that comes with CSF does not seem to work?

I am running ProFTPD and my loggin format is as follows:

Define the log formats

LogFormat default “%h %l %u %t “%r” %s %b”
LogFormat auth “%v [%P] %h %t “%r” %s”

N

I use CSF with Virtualmin… but can’t find any file that has the word “LogFormat” in it.

Is your LFD blocking failed FTP logins?

The LogFormat is within the proFTPD configuration file /etc/proftpd.conf.

I have not touched the original files of the OS or the CSF/LFD

Please let me know.
tnx

I explained this about a month ago, see here:

https://www.virtualmin.com/node/13841#comment-124467

Unfortunately, comment linking (like so many other things) doesn’t work properly on this forum. Please scroll down to my post dated “2013-11-14 11:24”.

Thank you for that. Very helpful.

My ftp logging was done in /var/log/messages so I switched that to /var/log/proftpd/proftpd.log and declared it within the CSF configuration. LFD is now watching that file instead.

By the way do you know why the IPs are showing with the ::ffff: in front? >>>

Nov 26 16:02:52 myhost.mydomain.com proftpd[7915] 1.1.1.1 (::ffff:2.2.2.2[::ffff:2.2.2.2]): FTP session closed.

where 1.1.1.1 is my server IP & 2.2.2.2 is the client IP connecting via FTP

Locutus,

I have an update on this.
I have enabled watching this log for banning failed FTP logins: FTPD_LOG = “/var/log/proftpd/proftpd.log”, however although IT DOES block successfully failed FTP logins of UNKNOWN users, it does not block failed ftp logins of existing users and WRONG password.

Can you please confirm if your setup is actually blocking both?

As a reminder only, I am using Centos 6.4, CSF/LFD latest 6.38 with default code (nothing changed apart from the FTPD_LOG value) and ProFTPD 1.33 (as installed by virtualmin script).

The failed login inside the log appears as follows:

Dec 12 10:31:57 myserverhostname.mydomain.com proftpd[27209] 1.1.1.1 (::ffff:2.2.2.2[::ffff:2.2.2.2.]): USER realusername (Login failed): Incorrect password.

where 1.1.1.1 is the server IP and 2.2.2.2 is the client connecting.

@netizen: You are right, there seems to be an error in LFD’s default regular expressions for ProFTPD.

You can fix that by going to /usr/local/csf/bin/regex.pm, find the line that says “USER (\S*) (Login failed): Incorrect password” under the ProFTPD block, and remove the dash and the space before the word USER.

Thank you very much Locutus. This was INDEED the solution.

By the way, do you know what is the following regex protecting from?

if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - SECURITY VIOLATION/)) {
        $ip = $2; $acc = ""; $ip =~ s/^::ffff://; $acc =~ s/:$//g;
		if (&checkip($ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}

I would like if possible to emulate that condition in order to check if it will be banned from CSF/LFD.

Well, seemingly it triggers when ProFTPD logs the text “SECURITY VIOLATION”. I don’t know though under which circumstances it does that - Google might know the answer. :wink: