ProFTPD not logging

The fail2ban jail for proftpd seems to be enabled by default but it does not do anything.

I could not find any ftp related login messages

So I set

SystemLog /var/log/proftpd/proftpd.log

in the proftpd config but it only creates the file but it does not write anything to it. Neither if I set level to DEBUG

It does write a tls.log with data.

Anyone know what might be going on?

Your not giving much info on your system setup, is this Webmin or Virtualmin. what OS etc

Virtualmin on Almalinux 9. This is the config file:

# Load DSO modules as required
Include /etc/proftpd/conf.d

# Server Config - config used for anything outside a <VirtualHost> or <Global> context
# See:

# Trace logging, disabled by default for performance reasons
# (
#TraceLog			/var/log/proftpd/trace.log
#Trace				DEFAULT:0

ServerName			"ProFTPD server"
ServerIdent on "Oh Hi!"
ServerAdmin			xxx@xxxxcom
DefaultServer on

# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot			~ !adm

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig			proftpd
AuthOrder			mod_auth_pam.c* mod_auth_unix.c
# If you use NIS/YP/LDAP you may need to disable PersistentPasswd
#PersistentPasswd		off

# Don't do reverse DNS lookups (hangs on DNS problems)
UseReverseDNS off

# Set the user and group that the server runs as
User				nobody
Group				nobody

# To prevent DoS attacks, set the maximum number of child processes
# to 20.  If you need to allow more than 20 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode; in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 20

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile			off

# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

# Don't log hostname or timestamps because systemd will do that for us
LogOptions			-Timestamp -Hostname +RoleBasedProcessLabels

# Enable basic controls via ftpdctl
# (
ControlsEngine			on
ControlsACLs			all allow user root
ControlsSocketACL		allow user *
ControlsLog			/var/log/proftpd/controls.log

# Enable admin controls via ftpdctl
# (
<IfModule mod_ctrls_admin.c>
  AdminControlsEngine		on
  AdminControlsACLs		all allow user root

# Enable mod_vroot by default for better compatibility with PAM
# (
<IfModule mod_vroot.c>
  VRootEngine			on

# TLS (
# Enable this with PROFTPD_OPTIONS=-DTLS in /etc/sysconfig/proftpd
<IfDefine TLS>
Include /etc/proftpd/mod_tls.conf

# Dynamic ban lists (
# Enable this with PROFTPD_OPTIONS=-DDYNAMIC_BAN_LISTS in /etc/sysconfig/proftpd
<IfModule mod_ban.c>
Include /etc/proftpd/mod_ban.conf

# Set networking-specific "Quality of Service" (QoS) bits on the packets used
# by the server (
<IfModule mod_qos.c>
Include /etc/proftpd/mod_qos.conf

# Global Config - config common to Server Config and all virtual hosts
# See:

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask				022

  # Allow users to overwrite files and change permissions
  AllowOverwrite		yes
DefaultRoot ~

TLSCACertificateFile /etc/
SystemLog /var/log/proftpd/proftpd.log

# A basic anonymous configuration, with an upload directory
# Enable this with PROFTPD_OPTIONS=-DANONYMOUS_FTP in /etc/sysconfig/proftpd
Include /etc/proftpd/anonftp.conf

# Include other custom configuration files

And this is the other virtualmin conf for it:

  PassivePorts 49152 65535
AllowOverwrite on
RootLogin off
# chroot users into their home by default
DefaultRoot ~

# Enable TLS
LoadModule mod_tls.c
TLSEngine on
TLSRequired                   on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/private/proftpd.pem
TLSOptions                    NoSessionReuseRequired
TLSVerifyClient               off
TLSLog                        /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
  TLSSessionCache             shm:/file=/var/run/proftpd/sesscache

# VirtualHost for SFTP (FTP over SSH) port
LoadModule mod_sftp.c
  SFTPEngine on
  SFTPLog /var/log/proftpd/sftp.log

  # Configure the server to listen on 2222 (openssh owns 22)
Port 2222

  # Configure the RSA and ECDSA host keys, using the same host key
  # files that OpenSSH uses.
  SFTPHostKey /etc/proftpd/ssh_host_rsa_key
  SFTPHostKey /etc/proftpd/ssh_host_ecdsa_key

  # Configure the file used for comparing authorized public keys of users.
  SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

  # Enable compression
  SFTPCompression delayed

  # More then FTP max logins, as there are more ways to authenticate
  # using SSH2.
  MaxLoginAttempts 6
  DefaultRoot ~

I am refering to normal FTP login not ssh ftp

If you installed Virtualmin via the install script the log file should be configured for you. You should not be setting a log files for it. Have you done a ftp login?

this is what I see in proftp log area

Yeah I know. As per default no file is set. It should log to syslog.

If i remove the SystemLog path I get the incorrect password log entries to:



Mar 13 23:33:34 calypso proftpd[174941]: session[174941] (2a09:bac5:ea:478::72:ba[2a09:bac5:ea:478::72:ba]): USER xxxxx (Login failed): Incorrect password

but fail2ban isn’t doing anything about it.

If I set fail2ban to check /var/log/messages it also doesnt register anything.


enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/messages

it works for postfix, sshd, webmin-auth.

Right, I’m not seeing error logs for proftp when I try with bad password. Maybe a bug @staff ?

Did you also check /var/log/secure or /var/log/authlog ?

1 Like

Ok, yep found it in /var/log/secure
Mar 14 16:33:11 petos proftpd[1343428]: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd1343428

P.S. I’m also seeing /var/log/messages when I use but NOT in /var/log/secure for some reason the top one is when I use filezilla

Ok can you check if fail2ban is banning anything? login to ftp from a vpn 6 times with wrong credentials.

It maybe the log path for fail2ban for proftp.
I guess you can add a new line for /var/log/secure

I tried that it doesnt work.

Do you expect local IP to be blocked? If so, it won’t work this way. Have you tried supplying an incorrect password using some remote system?

2a09:bac5:ea:478::72:ba is not a local IP. It is a remote IPv6. I think is refering to the local system.

I tried on a vanilla install for rocky 9

On both alma and rocky the default jail for proftpd that is enabled when it is shipped does nothing. It does not ban IP’s.

also on a vanilla ubuntu 22.04 install the postfix-sasl jail cannot find a log and fail2ban does not start.

everything seems to be working on debian 11, but it uses deprecated php 7 which is of no use for me.

I had the same on Ubuntu, it turned out fail2ban had it’s backend configured to systemd, I changed this to auto & everything worked
note :-
I changed this in jail.conf to make it global rather than jail.local
if you do this don’t forget to restart fail2ban

it is set to auto on my end. Doesn’t affect the problem. The other jails work.

I will try and find info on more fail2ban specific community If I can find it.

looking at your line

Mar 14 16:33:11 petos proftpd[1343428]: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd1343428

I don’t think there is a regex to match this line

maybe this config?

I tried a fresh install.

Maybe the devs can look into this. Maybe not a virtualmin issue per-se.

BUT in the way virtualmin ships the proftpd jail of fail2ban is without any function. It does not ban IPs. Despite being activated.

Hi Community,

I’m trying to get a new server running on Almalinux 9. So far, everything looks good I think :smiley:

I can confirm the problem.

I’m not sure, but maybe something is misconfigured here. Below is my proftpd.conf from Fail2ban


before = common.conf


_daemon = proftpd

__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)

prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$

failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
            ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
            ^Maximum login attempts \(\d+\) exceeded

ignoreregex = 

journalmatch = _SYSTEMD_UNIT=proftpd.service

Additionally, in my /var/log/messages file, I found this entry when I tried to log in with wrong credentials:

Apr 6 12:21:20 test proftpd[1931]: session[1931] 207.123.456.175 (189.123.456.195[189.123.456.195]): USER deanm: no such user found from 189.123.456.195 [] to ::ffff:207.123.456.175:21

I changed also all the fail2ban’s to pyinotify, as well those which are in /var/fail2ban/paths-fedora.conf

I’m not sure what’s exactly wrong here, maybe someone can help out?

Thank you.