Fail2ban and proftpd are not working

Virtualmin
1
SYSTEM INFORMATION
OS type and version Debian 11
Webmin version 2.001
Virtualmin version 7.3-1

Hi there,

I see that fail2ban does not operate well on Debian 11 and Virtualmin after a Fresh Install. The jail filter for proftpd seem to get totally ignored.

~# fail2ban-client status proftpd
Status for the jail: proftpd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: _SYSTEMD_UNIT=proftpd.service - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

Filter Action Jails : proftps is activated

image
image897×545 72.1 KB

I have FTP logins from scripts like every second but nothing happens …

Probably some problems with systemd ?

2

@croconx,

Are you using iptables for firewall or firewalld?

*** Professional, Affordable, Trusted Technical Assistance – tpnAssist.com ***

3

I am using iptables for firewall , but I see that firewalld is running also

4

@croconx,

You need to choose one not both. If firewalld is installed and running it is likely what manages the firewall.

That being said, adjust your fail2ban rule to make a firewalld block as it’s presently making an iptables one.

See if that helps.

5

Well the idea was good so far, since it seems that everytime firewalld was started, it overwrote the iptables Jail. I de-installed firewalld, checked the configuration for fail2ban so it just use iptables.

Fail2ban is running, it works fine with the jails for postfix-sasl and pam-generic but is totally ignoring the login attempts in proftpd that are logged in proftpd.log

fail2ban-client -vvvvvv status proftpd

  • 35 7F899438E740 fail2ban.configreader INFO | configreader-20: read | Loading configs for fail2ban under /etc/fail2ban
  • 36 7F899438E740 fail2ban.configreader DEBUG | configreader-10: read | Reading configs for fail2ban under /etc/fail2ban
  • 36 7F899438E740 fail2ban.configreader DEBUG | configreader-10: read | Reading config files: /etc/fail2ban/fail2ban.conf, /etc/fail2ban/fail2ban.local
  • 36 7F899438E740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: [‘/etc/fail2ban/fail2ban.conf’]
  • 36 7F899438E740 fail2ban.configparserinc TRACE | configparserinc-7 : read | Reading file: /etc/fail2ban/fail2ban.conf
  • 37 7F899438E740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: [‘/etc/fail2ban/fail2ban.local’]
  • 37 7F899438E740 fail2ban.configparserinc TRACE | configparserinc-7 : read | Reading file: /etc/fail2ban/fail2ban.local
  • 37 7F899438E740 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: [‘/etc/fail2ban/fail2ban.conf’, ‘/etc/fail2ban/fail2ban.local’]
  • 37 7F899438E740 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/fail2ban.conf
  • 37 7F899438E740 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/fail2ban.local
  • 37 7F899438E740 fail2ban INFO | fail2bancmdline-20: initCmdLine | Using socket file /var/run/fail2ban/fail2ban.sock
  • 37 7F899438E740 fail2ban INFO | fail2bancmdline-20: initCmdLine | Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
  • 37 7F899438E740 fail2ban HEAVY | fail2banclient-5 : __processCmd | CMD: [‘status’, ‘proftpd’]
  • 38 7F899438E740 fail2ban HEAVY | fail2banclient-5 : __processCmd | OK : [(‘Filter’, [(‘Currently failed’, 0), (‘Total failed’, 0), (‘Journal matches’, [‘_SYSTEMD_UNIT=proftpd.service’])]), (‘Actions’, [(‘Currently banned’, 0), (‘Total banned’, 0), (‘Banned IP list’, [])])]
  • 38 7F899438E740 fail2ban.beautifier HEAVY | beautifier-5 : beautify | Beautify [(‘Filter’, [(‘Currently failed’, 0), (‘Total failed’, 0), (‘Journal matches’, [‘_SYSTEMD_UNIT=proftpd.service’])]), (‘Actions’, [(‘Currently banned’, 0), (‘Total banned’, 0), (‘Banned IP list’, [])])] with [‘status’, ‘proftpd’]
    Status for the jail: proftpd
    |- Filter
    | |- Currently failed: 0
    | |- Total failed: 0
    | - Journal matches: _SYSTEMD_UNIT=proftpd.service - Actions
    |- Currently banned: 0
    |- Total banned: 0
    `- Banned IP list:
  • 38 7F899438E740 fail2ban DEBUG | fail2bancmdline-10: exit | Exit with code 0

Looks to me either it does not know what to look for or totally ignoring the proftpd.log via the systemd

6

Okay, the fail2ban does not get any stuff from /var/log/proftpd/proftpd.log .
I see the proftpd.log flooded from one IP address with login attempts that all end up with

USER XYZ: no such user found from 154...99 [154...99] to 148...***:21

No reaction in the fail2ban log, so either fail2ban does not see what is happening in proftpd or the regular expressions aren’t working (tried many … nothing)

Any ideas left ? Thanks

7

@croconx - I have iptables running (on Ubuntu but Debian shouldn’t be much different), admittedly I set it up manually.

Have a read of the following and you should be able to edit\adjust the necessary files:

Then look at the pages in Virtualmin and see how the relevant fields look and compare to how they looked originally (when you couldn’t get the jail to work) and you should see what was the underlying cause.

1 Like
8

Okay,

I worked it out.

proftpd is not logging to systemd, so that is why fail2ban does not see any stuff it should maybe ban.
You have to edit jail.local from fail2ban for proftpd for example like this (provide logpath to the specific path, change the backend to polling and journalmatch have to be empty), so that the proftpd specific log file is used instead

[proftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data
action = iptables-allports[name=FTP_BLOCK, port=0:65535, protocol=tcp]
logpath = /var/log/proftpd/proftpd.log
backend = polling
maxretry = 3
findtime = 3600
bantime = 3600
journalmatch =

9

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.

10

The solution to the problem explained here: