Proftpd and fail2ban

Hello,

I can’t have fail2ban working with propftpd.

The reason is the strange date format in proftpd.log, for instance:

nov. 13 14:40:33 sd-25139 proftpd[16300] XXX.YYY.ZZZ (sd-24052.dedibox.fr[::ffff:88.191.132.29]): SECURITY VIOLATION: root login attempted.

The dot in nov. is guilty.

Is it any way to correct-it?

Howdy,

It should be using the “Nov 13” format by default.

ProFTPd typically logs directly to /var/log/proftpd.log, rather than going through syslog – so you may want to review your ProFTPd config file to see if there’s something in there that’s causing the problem you’re seeing.

That would be located in /etc/proftpd/proftpd.conf.

-Eric

I have changed Default by auth in Webmin/ProFTPD Server/Logging Options/System log facility combobox and now the format date is OK.

The problem remains, any time proftpd restarts, it uses the weird defauft log format, for instance this morning (an unattended restart, logrotate??):

Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr: ProFTPD killed (signal 15)

Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr: ProFTPD 1.3.3a standalone mode SHUTDOWN

déc. 01 06:25:04 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP

I am oblige to restart it from Webmin to restore a correct log format

déc. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD killed (signal 15)

déc. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD 1.3.3a standalone mode SHUTDOWN

Dec 01 09:39:25 sd-25139 proftpd[2016] sd-25139.dedibox.fr: ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP

Which config proftpd uses it when it restarts?

/etc/proftpd/proftpd.conf ends with:

SyslogFacility auth

Howdy,

Yeah, it should use "/etc/proftpd/proftpd.conf " by default.

If you run “ps auxw | grep proftp”, if you don’t see it running with a -c parameter specifying a non-default config file, it should use the default.

Then, you can run “proftpd -V” to verify what config file it’s hard-coded to use.

-Eric

It was a locale issue, proftpd/Default has some problem with fr_FR.UTF-8

The solution I have found:

  1. I have added en_US.UTF-8 to my server

  2. I have added the line:

export LANG=“en_US.UTF-8”

to /etc/init.d/proftpd