I see that fail2ban does not operate well on Debian 11 and Virtualmin after a Fresh Install. The jail filter for proftpd seem to get totally ignored.
~# fail2ban-client status proftpd
Status for the jail: proftpd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - Journal matches: _SYSTEMD_UNIT=proftpd.service - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Well the idea was good so far, since it seems that everytime firewalld was started, it overwrote the iptables Jail. I de-installed firewalld, checked the configuration for fail2ban so it just use iptables.
Fail2ban is running, it works fine with the jails for postfix-sasl and pam-generic but is totally ignoring the login attempts in proftpd that are logged in proftpd.log
fail2ban-client -vvvvvv status proftpd
35 7F899438E740 fail2ban.configreader INFO | configreader-20: read | Loading configs for fail2ban under /etc/fail2ban
36 7F899438E740 fail2ban.configreader DEBUG | configreader-10: read | Reading configs for fail2ban under /etc/fail2ban
Okay, the fail2ban does not get any stuff from /var/log/proftpd/proftpd.log .
I see the proftpd.log flooded from one IP address with login attempts that all end up with
USER XYZ: no such user found from 154...99 [154...99] to 148...***:21
No reaction in the fail2ban log, so either fail2ban does not see what is happening in proftpd or the regular expressions aren’t working (tried many … nothing)
@croconx - I have iptables running (on Ubuntu but Debian shouldn’t be much different), admittedly I set it up manually.
Have a read of the following and you should be able to edit\adjust the necessary files:
Then look at the pages in Virtualmin and see how the relevant fields look and compare to how they looked originally (when you couldn’t get the jail to work) and you should see what was the underlying cause.
proftpd is not logging to systemd, so that is why fail2ban does not see any stuff it should maybe ban.
You have to edit jail.local from fail2ban for proftpd for example like this (provide logpath to the specific path, change the backend to polling and journalmatch have to be empty), so that the proftpd specific log file is used instead