Hello,
I can’t have fail2ban working with propftpd.
The reason is the strange date format in proftpd.log, for instance:
nov. 13 14:40:33 sd-25139 proftpd[16300] XXX.YYY.ZZZ (sd-24052.dedibox.fr [::ffff:88.191.132.29]): SECURITY VIOLATION: root login attempted.
The dot in nov. is guilty.
Is it any way to correct-it?
Eric
November 15, 2011, 2:50pm
2
Howdy,
It should be using the “Nov 13” format by default.
ProFTPd typically logs directly to /var/log/proftpd.log, rather than going through syslog – so you may want to review your ProFTPd config file to see if there’s something in there that’s causing the problem you’re seeing.
That would be located in /etc/proftpd/proftpd.conf.
-Eric
I have changed Default by auth in Webmin/ProFTPD Server/Logging Options/System log facility combobox and now the format date is OK.
The problem remains, any time proftpd restarts, it uses the weird defauft log format, for instance this morning (an unattended restart, logrotate??):
Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr : ProFTPD killed (signal 15)
Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr : ProFTPD 1.3.3a standalone mode SHUTDOWN
déc. 01 06:25:04 sd-25139 proftpd[23136] sd-25139.dedibox.fr : ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP
I am oblige to restart it from Webmin to restore a correct log format
déc. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr : ProFTPD killed (signal 15)
déc. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr : ProFTPD 1.3.3a standalone mode SHUTDOWN
Dec 01 09:39:25 sd-25139 proftpd[2016] sd-25139.dedibox.fr : ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP
Which config proftpd uses it when it restarts?
/etc/proftpd/proftpd.conf ends with:
SyslogFacility auth
Eric
December 4, 2011, 12:43am
5
Howdy,
Yeah, it should use "/etc/proftpd/proftpd.conf " by default.
If you run “ps auxw | grep proftp”, if you don’t see it running with a -c parameter specifying a non-default config file, it should use the default.
Then, you can run “proftpd -V” to verify what config file it’s hard-coded to use.
-Eric
It was a locale issue, proftpd/Default has some problem with fr_FR.UTF-8
The solution I have found:
I have added en_US.UTF-8 to my server
I have added the line:
export LANG=“en_US.UTF-8”
to /etc/init.d/proftpd
Ilia
April 16, 2023, 10:17am
8
The fix and explanations are here:
Alright, starting Virtualmin-Config 7.0.11 and above Fail2ban ProFTPd jail will work properly.
You can either wait until @Joe releases a new Virtualmin-Config 7.0.11 or manually apply the patch below.
Either way, all existing installation to address this issue should run the following command:
virtualmin-config-system -i Fail2banFirewalld