Proftpd and fail2ban

jeromelpv · November 15, 2011, 11:08am

Hello,

I can’t have fail2ban working with propftpd.

The reason is the strange date format in proftpd.log, for instance:

nov. 13 14:40:33 sd-25139 proftpd[16300] XXX.YYY.ZZZ (sd-24052.dedibox.fr[::ffff:88.191.132.29]): SECURITY VIOLATION: root login attempted.

The dot in nov. is guilty.

Is it any way to correct-it?

Eric · November 15, 2011, 2:50pm

Howdy,

It should be using the “Nov 13” format by default.

ProFTPd typically logs directly to /var/log/proftpd.log, rather than going through syslog – so you may want to review your ProFTPd config file to see if there’s something in there that’s causing the problem you’re seeing.

That would be located in /etc/proftpd/proftpd.conf.

-Eric

jeromelpv · November 15, 2011, 3:01pm

I have changed Default by auth in Webmin/ProFTPD Server/Logging Options/System log facility combobox and now the format date is OK.

jeromelpv · December 1, 2011, 9:04am

The problem remains, any time proftpd restarts, it uses the weird defauft log format, for instance this morning (an unattended restart, logrotate??):

Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr: ProFTPD killed (signal 15)

Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr: ProFTPD 1.3.3a standalone mode SHUTDOWN

dÃ©c. 01 06:25:04 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP

I am oblige to restart it from Webmin to restore a correct log format

dÃ©c. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD killed (signal 15)

dÃ©c. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD 1.3.3a standalone mode SHUTDOWN

Dec 01 09:39:25 sd-25139 proftpd[2016] sd-25139.dedibox.fr: ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP

Which config proftpd uses it when it restarts?

/etc/proftpd/proftpd.conf ends with:

SyslogFacility auth

Eric · December 4, 2011, 12:43am

Howdy,

Yeah, it should use "/etc/proftpd/proftpd.conf " by default.

If you run “ps auxw | grep proftp”, if you don’t see it running with a -c parameter specifying a non-default config file, it should use the default.

Then, you can run “proftpd -V” to verify what config file it’s hard-coded to use.

-Eric

jeromelpv · December 5, 2011, 2:40pm

It was a locale issue, proftpd/Default has some problem with fr_FR.UTF-8

The solution I have found:

I have added en_US.UTF-8 to my server
I have added the line:

export LANG=“en_US.UTF-8”

to /etc/init.d/proftpd

Ilia · April 16, 2023, 10:17am

The fix and explanations are here: