The fail2ban jail for proftpd seems to be enabled by default but it does not do anything.
I could not find any ftp related login messages
So I set
SystemLog /var/log/proftpd/proftpd.log
in the proftpd config but it only creates the file but it does not write anything to it. Neither if I set level to DEBUG
It does write a tls.log with data.
Anyone know what might be going on?
Your not giving much info on your system setup, is this Webmin or Virtualmin. what OS etc
Virtualmin on Almalinux 9. This is the config file:
# Load DSO modules as required
Include /etc/proftpd/conf.d
# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See: http://www.proftpd.org/docs/howto/Vhost.html
# Trace logging, disabled by default for performance reasons
# (http://www.proftpd.org/docs/howto/Tracing.html)
#TraceLog /var/log/proftpd/trace.log
#Trace DEFAULT:0
ServerName "ProFTPD server"
ServerIdent on "Oh Hi!"
ServerAdmin xxx@xxxxcom
DefaultServer on
# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot ~ !adm
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd off
# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off
# Set the user and group that the server runs as
User nobody
Group nobody
# To prevent DoS attacks, set the maximum number of child processes
# to 20. If you need to allow more than 20 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20
# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile off
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# Don't log hostname or timestamps because systemd will do that for us
LogOptions -Timestamp -Hostname +RoleBasedProcessLabels
# Enable basic controls via ftpdctl
# (http://www.proftpd.org/docs/modules/mod_ctrls.html)
ControlsEngine on
ControlsACLs all allow user root
ControlsSocketACL allow user *
ControlsLog /var/log/proftpd/controls.log
# Enable admin controls via ftpdctl
# (http://www.proftpd.org/docs/contrib/mod_ctrls_admin.html)
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
AdminControlsACLs all allow user root
</IfModule>
# Enable mod_vroot by default for better compatibility with PAM
# (http://bugzilla.redhat.com/506735)
<IfModule mod_vroot.c>
VRootEngine on
</IfModule>
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
# Enable this with PROFTPD_OPTIONS=-DTLS in /etc/sysconfig/proftpd
<IfDefine TLS>
Include /etc/proftpd/mod_tls.conf
</IfDefine>
# Dynamic ban lists (http://www.proftpd.org/docs/contrib/mod_ban.html)
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfModule mod_ban.c>
Include /etc/proftpd/mod_ban.conf
</IfModule>
# Set networking-specific "Quality of Service" (QoS) bits on the packets used
# by the server (http://www.proftpd.org/docs/contrib/mod_qos.html)
<IfModule mod_qos.c>
Include /etc/proftpd/mod_qos.conf
</IfModule>
# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable
Umask 022
# Allow users to overwrite files and change permissions
AllowOverwrite yes
DefaultRoot ~
</Global>
TLSCACertificateFile /etc/proftpd.ca
SystemLog /var/log/proftpd/proftpd.log
# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
<IfDefine ANONYMOUS_FTP>
Include /etc/proftpd/anonftp.conf
</IfDefine>
# Include other custom configuration files
And this is the other virtualmin conf for it:
<Global>
PassivePorts 49152 65535
AllowOverwrite on
RootLogin off
</Global>
# chroot users into their home by default
DefaultRoot ~
# Enable TLS
LoadModule mod_tls.c
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/private/proftpd.pem
TLSOptions NoSessionReuseRequired
TLSVerifyClient off
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
# VirtualHost for SFTP (FTP over SSH) port
LoadModule mod_sftp.c
<VirtualHost 0.0.0.0>
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
# Configure the server to listen on 2222 (openssh owns 22)
Port 2222
# Configure the RSA and ECDSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/proftpd/ssh_host_rsa_key
SFTPHostKey /etc/proftpd/ssh_host_ecdsa_key
# Configure the file used for comparing authorized public keys of users.
SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys
# Enable compression
SFTPCompression delayed
# More then FTP max logins, as there are more ways to authenticate
# using SSH2.
MaxLoginAttempts 6
DefaultRoot ~
</VirtualHost>
I am refering to normal FTP login not ssh ftp
If you installed Virtualmin via the install script the log file should be configured for you. You should not be setting a log files for it. Have you done a ftp login?
this is what I see in proftp log area
Yeah I know. As per default no file is set. It should log to syslog.
If i remove the SystemLog path I get the incorrect password log entries to:
/var/log/messages
Eg:
Mar 13 23:33:34 calypso proftpd[174941]: session[174941] 127.0.0.1 (2a09:bac5:ea:478::72:ba[2a09:bac5:ea:478::72:ba]): USER xxxxx (Login failed): Incorrect password
but fail2ban isn’t doing anything about it.
If I set fail2ban to check /var/log/messages it also doesnt register anything.
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/messages
it works for postfix, sshd, webmin-auth.
Did you also check /var/log/secure or /var/log/authlog ?
Ok, yep found it in /var/log/secure
Mar 14 16:33:11 petos proftpd[1343428]: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd1343428 ruser=ftpuser@domain.com rhost=xxx.xxx.xxx.xxx user=ftpuser@domain.com
P.S. I’m also seeing /var/log/messages when I use https://ftptest.net/ but NOT in /var/log/secure for some reason the top one is when I use filezilla
Ok can you check if fail2ban is banning anything? login to ftp from a vpn 6 times with wrong credentials.
I tried that it doesnt work.
Do you expect local IP to be blocked? If so, it won’t work this way. Have you tried supplying an incorrect password using some remote system?
2a09:bac5:ea:478::72:ba is not a local IP. It is a remote IPv6. I think 127.0.0.1 is refering to the local system.
I tried on a vanilla install for rocky 9
On both alma and rocky the default jail for proftpd that is enabled when it is shipped does nothing. It does not ban IP’s.
also on a vanilla ubuntu 22.04 install the postfix-sasl jail cannot find a log and fail2ban does not start.
everything seems to be working on debian 11, but it uses deprecated php 7 which is of no use for me.
I had the same on Ubuntu, it turned out fail2ban had it’s backend configured to systemd, I changed this to auto & everything worked
note :-
I changed this in jail.conf to make it global rather than jail.local
if you do this don’t forget to restart fail2ban
it is set to auto on my end. Doesn’t affect the problem. The other jails work.
I will try and find info on more fail2ban specific community If I can find it.
looking at your line
Mar 14 16:33:11 petos proftpd[1343428]: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd1343428 ruser=ftpuser@domain.com rhost=xxx.xxx.xxx.xxx user=ftpuser@domain.com
I don’t think there is a regex to match this line
I tried a fresh install.
Maybe the devs can look into this. Maybe not a virtualmin issue per-se.
BUT in the way virtualmin ships the proftpd jail of fail2ban is without any function. It does not ban IPs. Despite being activated.
Hi Community,
I’m trying to get a new server running on Almalinux 9. So far, everything looks good I think 
I can confirm the problem.
I’m not sure, but maybe something is misconfigured here. Below is my proftpd.conf from Fail2ban
[INCLUDES]
before = common.conf
[Definition]
_daemon = proftpd
__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)
prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$
failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
^Maximum login attempts \(\d+\) exceeded
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=proftpd.service
Additionally, in my /var/log/messages file, I found this entry when I tried to log in with wrong credentials:
Apr 6 12:21:20 test proftpd[1931]: session[1931] 207.123.456.175 (189.123.456.195[189.123.456.195]): USER deanm: no such user found from 189.123.456.195 [189.203.106.195] to ::ffff:207.123.456.175:21
I changed also all the fail2ban’s to pyinotify, as well those which are in /var/fail2ban/paths-fedora.conf
I’m not sure what’s exactly wrong here, maybe someone can help out?
Thank you.