Did you also check /var/log/secure or /var/log/authlog ?
1 Like
Ok, yep found it in /var/log/secure
Mar 14 16:33:11 petos proftpd[1343428]: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd1343428 ruser=ftpuser@domain.com rhost=xxx.xxx.xxx.xxx user=ftpuser@domain.com
P.S. I’m also seeing /var/log/messages when I use https://ftptest.net/ but NOT in /var/log/secure for some reason the top one is when I use filezilla
Ok can you check if fail2ban is banning anything? login to ftp from a vpn 6 times with wrong credentials.
I tried that it doesnt work.
Do you expect local IP to be blocked? If so, it won’t work this way. Have you tried supplying an incorrect password using some remote system?
2a09:bac5:ea:478::72:ba is not a local IP. It is a remote IPv6. I think 127.0.0.1 is refering to the local system.
I tried on a vanilla install for rocky 9
On both alma and rocky the default jail for proftpd that is enabled when it is shipped does nothing. It does not ban IP’s.
also on a vanilla ubuntu 22.04 install the postfix-sasl jail cannot find a log and fail2ban does not start.
everything seems to be working on debian 11, but it uses deprecated php 7 which is of no use for me.
I had the same on Ubuntu, it turned out fail2ban had it’s backend configured to systemd, I changed this to auto & everything worked
note :-
I changed this in jail.conf to make it global rather than jail.local
if you do this don’t forget to restart fail2ban
it is set to auto on my end. Doesn’t affect the problem. The other jails work.
I will try and find info on more fail2ban specific community If I can find it.
looking at your line
Mar 14 16:33:11 petos proftpd[1343428]: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd1343428 ruser=ftpuser@domain.com rhost=xxx.xxx.xxx.xxx user=ftpuser@domain.com
I don’t think there is a regex to match this line
I tried a fresh install.
Maybe the devs can look into this. Maybe not a virtualmin issue per-se.
BUT in the way virtualmin ships the proftpd jail of fail2ban is without any function. It does not ban IPs. Despite being activated.
Hi Community,
I’m trying to get a new server running on Almalinux 9. So far, everything looks good I think 
I can confirm the problem.
I’m not sure, but maybe something is misconfigured here. Below is my proftpd.conf from Fail2ban
[INCLUDES]
before = common.conf
[Definition]
_daemon = proftpd
__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)
prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$
failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
^Maximum login attempts \(\d+\) exceeded
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=proftpd.service
Additionally, in my /var/log/messages file, I found this entry when I tried to log in with wrong credentials:
Apr 6 12:21:20 test proftpd[1931]: session[1931] 207.123.456.175 (189.123.456.195[189.123.456.195]): USER deanm: no such user found from 189.123.456.195 [189.203.106.195] to ::ffff:207.123.456.175:21
I changed also all the fail2ban’s to pyinotify, as well those which are in /var/fail2ban/paths-fedora.conf
I’m not sure what’s exactly wrong here, maybe someone can help out?
Thank you.
Hmmm… Not sure if this is a bug. I think somehow, one thing might not be configured well.
I have tried to change the log file path in the Proftpd settings to /var/log/proftpd.log, but for some reasons it still writes into /var/log/messages…
I also this this problem in all distros.
I will try to find the solution. I will update this ticket with progress!
Alright, starting Virtualmin-Config 7.0.11 and above Fail2ban ProFTPd jail will work properly.
You can either wait until @Joe releases a new Virtualmin-Config 7.0.11 or manually apply the patch below.
Either way, all existing installation to address this issue should run the following command:
virtualmin-config-system -i Fail2banFirewalld
1 Like
Hi @Ilia,
First of all, thank you very much for this patch. I haven’t tried it yet but looking at my friend’s server, I actually solved the issue in a bit different way. What surprised me was that ProFTPd didn’t want to log to /var/log/proftpd/proftpd.log on Alma when I put the path there in the logging options in Webmin. So, I had a look at the startup script which was:
[Unit]
Description = ProFTPD FTP Server
Wants=network-online.target
After=network-online.target nss-lookup.target local-fs.target remote-fs.target
[Service]
Type = simple
Environment = PROFTPD_OPTIONS=
EnvironmentFile = -/etc/sysconfig/proftpd
ExecStartPre = /usr/sbin/proftpd --configtest
ExecStart = /usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS
ExecReload = /bin/kill -HUP $MAINPID
PIDFile = /run/proftpd/proftpd.pid
[Install]
WantedBy = multi-user.target
So I changed it to:
[Unit]
Description=ProFTPD FTP Server
Wants=network-online.target
After=network-online.target nss-lookup.target local-fs.target remote-fs.target
[Service]
Type=forking
Environment=PROFTPD_OPTIONS= CONFIG_FILE=/etc/proftpd.conf
EnvironmentFile=-/etc/sysconfig/proftpd
ExecStartPre=/usr/sbin/proftpd --configtest -c $CONFIG_FILE
ExecStart=/usr/sbin/proftpd -c $CONFIG_FILE $PROFTPD_OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/proftpd/proftpd.pid
[Install]
WantedBy=multi-user.target
Afterwards, I commented out these lines in my ProFTPd configuration file:
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
And
LogOptions -Timestamp -Hostname +RoleBasedProcessLabels
After rebooting, it’s now working with the original Fail2Ban rule, and ProFTPd is logging to the path that I set to /var/log/proftpd/proftpd.log
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.