Somehow my proftp.log gets hit constantly, like a few 100 times by one IP. It ends in USER root (Login failed): Incorrect password
I see proftp in fail2ban Jail Logs, but nothing blocked.
How can I troubleshoot that?
Also, my sftp.log (which seem to be in /) has swollen to a massive 1.7Gb - is that a part of proftp? Does that need to be specially included in fail2ban? After it works again I mean.
For the time being I stopped the ProFTP server since I donât use it anyway.
You say you have fail2ban logs? Not sure what you mean by âJail Logsâ.
Long story short, if firewalld gets restarted, you must restart fail2ban in the default configuration. grep -i notice /var/log/fail2ban.log
If you see âalready bannedâ then it is an order thing.
OK. My bad there. sftp is part of ssh though. Since I donât use proftpd I didnât realize it used/logged like that. Since I use command line to upload I have no idea if standard GUI clients can use the openssh version instead of proftpd.
Quite interesting. I use ssh from commandline or sftp via Filezilla. I have the ftp ports blocked in the fw. But it I stop Proftp, Filezilla will not connect, just timeout.
On the mailserver that has no webmin/virualmin/proftp it works flawless
Just curious why
I think I remember reading somewhere that Debian 12 may need some modifications in fail2ban to work properly. It might have to do with where/how it logs in Debian 12. I donât have time to chase it down at the moment.
A Virtualmin system has two ways to use sftp (FTP-over-SSH). On port 22, you will find OpenSSH, which will happily interact with an sftp client, assuming the user is allowed to login with a shell. On port 2222, you will find ProFTPd offering sftp and limited in the ways ProFTPd users are (confined to their home, but without the messiness and complexity of a chroot jail).
If youâre logging in on port 22, the log will be wherever OpenSSH is logging. And, thatâs what youâd need fail2ban to follow in order to act on those failed logins.
If youâre logging in on port 2222, the log will be wherever ProFTPd is logging. And, thatâs what youâd need fail2ban to follow to act on those failed logins.
When you have time grab sample log records you want to trigger fail2ban and put them in a temp file. Grab the jail.conf file you are using and run fail2ban-regex (see examples on a search) and you can quickly debug whatâs happening
I used that recently to make a new jail for a bot that was hitting registration attempts faster than a human so i detected and banned with exponential ban time if they come back. Use a regex checker to get the regex right. .