Fail2Ban not blocking login attemps from ProFTP

flameproof · January 27, 2025, 6:53am

SYSTEM INFORMATION
OS type and version	Debian 12
Virtualmin version	7.30.4

Somehow my proftp.log gets hit constantly, like a few 100 times by one IP. It ends in USER root (Login failed): Incorrect password

I see proftp in fail2ban Jail Logs, but nothing blocked.

How can I troubleshoot that?

Also, my sftp.log (which seem to be in /) has swollen to a massive 1.7Gb - is that a part of proftp? Does that need to be specially included in fail2ban? After it works again I mean.

For the time being I stopped the ProFTP server since I don’t use it anyway.

ID10T · January 27, 2025, 9:51pm

You say you have fail2ban logs? Not sure what you mean by “Jail Logs”.
Long story short, if firewalld gets restarted, you must restart fail2ban in the default configuration.
grep -i notice /var/log/fail2ban.log
If you see ‘already banned’ then it is an order thing.

stefan1959 · January 27, 2025, 9:59pm

Isn’t it on rotate? Just checked on the weekly. Maybe disable proftp until sorted. Look like an attack.

double check its working. Even with alot of errors it shouldn’t get that big.

ID10T · January 27, 2025, 10:57pm

Is it activated?

flameproof · January 28, 2025, 12:14am

Sorry, Jail blocks… (due to human memory issue )

mhm /var/log/proftpd/sftp.log was not in logrotate. I will add it.
For now I ProFTP is disabled. I rarely need it anyway.

In Filter Action Jails ProFTP is on [yes] - activated.

Added note: ProFTP was NOT in Dasboard > Server Status (I recall it was listed in my old old old virtualmin)

ID10T · January 28, 2025, 1:00am

I think sftp is part of ssh so don’t confuse it with proftp.

flameproof · January 28, 2025, 1:20am

To me it looks like it’s part of ProFTP though: /var/log/proftpd/sftp.log

After I disabled ProFTP yesterday I deleted the sftp.log (1.7Gb) and so far it didn’t build a new one.

ID10T · January 28, 2025, 2:11pm

OK. My bad there. sftp is part of ssh though. Since I don’t use proftpd I didn’t realize it used/logged like that. Since I use command line to upload I have no idea if standard GUI clients can use the openssh version instead of proftpd.

Mediasafe · January 29, 2025, 9:19am

Quite interesting. I use ssh from commandline or sftp via Filezilla. I have the ftp ports blocked in the fw. But it I stop Proftp, Filezilla will not connect, just timeout.
On the mailserver that has no webmin/virualmin/proftp it works flawless
Just curious why

ID10T · January 29, 2025, 2:03pm

I think I remember reading somewhere that Debian 12 may need some modifications in fail2ban to work properly. It might have to do with where/how it logs in Debian 12. I don’t have time to chase it down at the moment.

Joe · January 29, 2025, 6:22pm

A Virtualmin system has two ways to use sftp (FTP-over-SSH). On port 22, you will find OpenSSH, which will happily interact with an sftp client, assuming the user is allowed to login with a shell. On port 2222, you will find ProFTPd offering sftp and limited in the ways ProFTPd users are (confined to their home, but without the messiness and complexity of a chroot jail).

If you’re logging in on port 22, the log will be wherever OpenSSH is logging. And, that’s what you’d need fail2ban to follow in order to act on those failed logins.

If you’re logging in on port 2222, the log will be wherever ProFTPd is logging. And, that’s what you’d need fail2ban to follow to act on those failed logins.

ID10T · January 29, 2025, 7:05pm

OK. This is useful information I didn’t know about ProFTPd.

jimr1 · January 29, 2025, 7:14pm

Unless you have changed the ssh port to something else, replace 22 with the actual ssh port

ID10T · January 29, 2025, 7:38pm

Just for clarity, that won’t change the logging.

paulM · January 31, 2025, 8:50pm

When you have time grab sample log records you want to trigger fail2ban and put them in a temp file. Grab the jail.conf file you are using and run fail2ban-regex (see examples on a search) and you can quickly debug what’s happening

I used that recently to make a new jail for a bot that was hitting registration attempts faster than a human so i detected and banned with exponential ban time if they come back. Use a regex checker to get the regex right. .

flameproof · February 19, 2025, 1:31am

A little update: with ProFTP server OFF there is no sftp.log activity.

Right now ProFTP was running again, for 2 days apparently (creating 47Mb log data). I didn’t switch it ON. Do some updates may switch ProFTP ON?

Again I get 100+ entries of the same IP. A random sample (1 of 25000 from 3 days log data) from sftp.log:

2025-02-19 00:08:14,852 mod_sftp/1.1.1[1748855]: using '/etc/proftpd/ssh_host_ecdsa_key' as 256-bit ECDSA hostkey (256 bits)
2025-02-19 00:08:14,854 mod_sftp/1.1.1[1748855]: client (47.75.250.176:34940) connected to server (::ffff:130.255.77.161:2222) [session ID Z7Ug7oL/TaEvS/qwABqvd02K]
2025-02-19 00:08:14,855 mod_sftp/1.1.1[1748855]: sent server version 'SSH-2.0-mod_sftp'
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]: received client version 'SSH-2.0-Go'
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]: handling connection from SSH2 client 'Go'
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session key exchange: curve25519-sha256@libssh.org
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session host key algorithm: ecdsa-sha2-nistp256
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session server hostkey: ecdsa-sha2-nistp256
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session client-to-server encryption: aes128-ctr
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session server-to-client encryption: aes128-ctr
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session client-to-server MAC: hmac-sha2-256-etm@openssh.com
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session server-to-client MAC: hmac-sha2-256-etm@openssh.com
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session client-to-server compression: none
2025-02-19 00:08:15,893 mod_sftp/1.1.1[1748855]:  + Session server-to-client compression: none
2025-02-19 00:08:18,772 mod_sftp/1.1.1[1748894]: using '/etc/proftpd/ssh_host_ecdsa_key' as 256-bit ECDSA hostkey (256 bits)

No cron entry…

crontab -l
sudo crontab -l
sudo ls /etc/cron.*
0,5,10,15,20,25,30,35,40,45,50,55 * * * * /etc/webmin/status/monitor.pl >/dev/null 2>&1
17 17 * * * /etc/webmin/virtualmin-awstats/awstats.pl d1.com
38 20 * * * /etc/webmin/virtualmin-awstats/awstats.pl d2.com
19 15 * * * /etc/webmin/virtualmin-awstats/awstats.pl d3.com
0,5,10,15,20,25,30,35,40,45,50,55 * * * * /etc/webmin/status/monitor.pl >/dev/null 2>&1
17 17 * * * /etc/webmin/virtualmin-awstats/awstats.pl d1.com
38 20 * * * /etc/webmin/virtualmin-awstats/awstats.pl d2.com
19 15 * * * /etc/webmin/virtualmin-awstats/awstats.pl d3.com
/etc/cron.d:
awstats  certbot  e2scrub_all  ntpsec  php

/etc/cron.daily:
apache2  apt-compat  dpkg  etckeeper  fstrim  logrotate  man-db  quota  spamassassin

/etc/cron.hourly:

/etc/cron.monthly:

/etc/cron.weekly:
man-db

/etc/cron.yearly:

Can I add a daily cron to close proftp? And I still like to add some banning action to fail2ban.

Joe · February 19, 2025, 3:45am

No.

Have you disabled the proftpd service? Merely stopping it will not prevent it from starting again on reboot.

flameproof · February 19, 2025, 4:26am

I simply switch it off. Not sure how often the server reboots. Maybe it does after some upgrades? But since I do the upgrades manually I can easily have an eye on that.
Is there a way to show the proFTP status on the Dashboard?

Joe · February 19, 2025, 6:01am

Not automatically.

If you don’t want it to start, you should disable it. You can do that in Webmin->System->Bootup and Shutdown.

If you’re using Virtualmin, and if the FTP feature is enabled, it should already be in the dashboard.

But, if you don’t want it running, you should just disable it and stop it, and then you don’t need to care about it being in the dashboard.

flameproof · February 19, 2025, 7:13am

Right, it was on Yes. Will keep an eye on it.