Brute Force Monitor not working with pureftpd.log and phpmyadmin.log

crenet

Verified User
Joined
Sep 23, 2019
Messages
115
Hi,
Should Brute Force Monitor work with these services ?
OS does have /var/log/pureftpd.log but no files under /var/www/html/phpMyAdmin/log/
Where are the phpMyAdmin logs created ?
BFM and CSF are not watching pureftpd and phpMyAdmin.
Any fix for these issues ?
Thanks
 
Pure-FTPd failed attempts should be logged to /var/log/messages, and it should be set as the following in CSF config:
Code:
FTPD_LOG = "/var/log/messages"

Isn't it? /var/www/html/phpMyAdmin/log/ logs just failed attempts, did you have any login failures to phpMyAdmin?
 
Pure-FTPd failed attempts should be logged to /var/log/messages, and it should be set as the following in CSF config:
Code:
FTPD_LOG = "/var/log/messages"

Isn't it? /var/www/html/phpMyAdmin/log/ logs just failed attempts, did you have any login failures to phpMyAdmin?

Hi Martynas,

Sorry I forgot to say that I see the pureftpd logs in /var/log/pureftpd.log I´v change the /etc/rsyslog.conf
and I already set CSF with:

FTPD_LOG = "/var/log/pureftpd.log"

Should BFM work if we set pureftpd.log in CSF ?

In phpMyAdmin/log/ I do not any file there, or iteh file only exist if we have a failed attempt ?
Thanks
 
BFM would still expect it in /var/log/messages, but LFD would block failed attempts.

Regarding phpMyAdmin log - yes, only failed attempts there.
 
So you are saying that even if we set
FTPD_LOG = "/var/log/pureftpd.log" the BFM still look in /var/log/messages ??!!!
Is there any way to change BFM to have a log file just for pureftpd in /var/log/pureftpd.log ?
Regarding phpMyAdmin log , so no failed attempts the log file does not exist.
I will need to simulate to see if CSF is blocking the IP.

Thanks
 
Hm.. /var/log/pureftpd.log should work :) As it's listed /usr/local/directadmin/data/templates/logs.list. Just know that if you change csf.conf path, it doesn't change logs.list for BFM checks.
 
Hi Martynas,

PureFTP service is working but I let it down til I solve this issue.
I just start the service to test.

I am expecting to see login report in BFM once someone try to login but its not working.

In /usr/local/directadmin/data/templates/logs.list I have /var/log/pureftpd.log=PureFTP Log

In /etc/csf/csf.conf. I have FTPD_LOG = "/var/log/pureftpd.log"

Now the /var/log/pureftpd.log disappear like some days ago. Why ?

In /etc/rsyslog.conf I have this

Code:
###############
#### RULES ####
###############
#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
ftp.*                           -/var/log/pureftpd.log
#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.

*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron.none,daemon.none;\
        ftp.none;\
        mail.none,news.none     -/var/log/messages
 
Hi Martynas,
After I simulate a new login attempt the file /var/log/pureftpd.log comes back again that´s very weird shouldn't the file be always there ?

Now /var/log/pureftpd.log have this entries
Nov 22 15:36:00 hostname pure-ftpd: ([email protected]) [INFO] New connection from xx.xxx.xxx.xxx
Nov 22 15:36:00 hostname pure-ftpd: ([email protected]) [DEBUG] Command [auth] [TLS]
Nov 22 15:36:01 hostname pure-ftpd: ([email protected]) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384, 256 secret bits ciph$
Nov 22 15:36:01 hostname pure-ftpd: ([email protected]) [DEBUG] Command [pbsz] [0]
Nov 22 15:36:01 hostname pure-ftpd: ([email protected]) [DEBUG] Command [prot] [P]
Nov 22 15:36:01 hostname pure-ftpd: ([email protected]) [DEBUG] Command [user] [test]
Nov 22 15:36:02 hostname pure-ftpd: ([email protected]) [DEBUG] Command [pass] [<*>]
Nov 22 15:36:06 hostname pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [test]

But no report on BFM:(
 
It could have been rotated by logrotate, that's why it was empty before :) Regarding BFM - did you check the table of failed logins there, or were you looking for an IP block there?
 
After I use a wrong password and user name I login to a admin account and look Admin Tools>Brute Force Monitor>Failed Logins and the login attempt wasn´t there either in Failed Logins:IP list, and Skip List is empty.
PureFTP service is working well and it´s logging in /var/log/pureftpd.log.
 
CSF is working correctly as soon as I set
LF_FTPD = 3
LF_FTPD_PERM=600

I get the IP blocked in Temporary IP Entries.
lfd - (ftpd) Failed FTP login from xx.xxx.xxx.xxx (xx/country/-): 3 in the last 3600 secs

So it seems there is no doubt that DA BFM is missing pureftpd.log
Before I have downloaded csf-bfm-install.sh and install it with this guide now even the script is not in root home, is there any function that clean these scripts ?

Any help to fix this will be apreciated.
Thanks
 
Last edited:
Update:

Reinstall BFM following this guide
Set /root/directadmin-bfm-csf.conf with the correct SSH port, FTP use the default ports

/usr/local/directadmin/data/templates/logs.list have /var/log/pureftpd.log=PureFTP Log

As we know BFM script disable all Login Failure Blocking in CSF/LFD
Simulate a pureFTP login failure and nothing is reported in BFM and does not block the IP.

If I allow CSF manage LF_FTPD it blocks the IP.

Where do we set the number of allowed attempts for the email authentications ?
In DA Admin settings its only available for DA login attempts.
I was testing with IMAP and only after 6 attempts BFM block the IP, is there any way to change this setting ?

Any way to fix it ?
 
Last edited:
Anybody knows why I can not get Brute Force Monitor reporting PureFTP attempts ?
 
My BFM is still not losing pureFTP failed attempps.
Is there other forum where we can talk with DA community/users ?
 
Try this:
Code:
ftp.*                           -/var/log/messages
as that's where it logs to by default, and where DA is looking.
If you need it in pure-ftpd.log, I could rework the BFM to scan this other log too, but isn't in the default list.

John
 
Try this:
Code:
ftp.*                           -/var/log/messages
as that's where it logs to by default, and where DA is looking.
If you need it in pure-ftpd.log, I could rework the BFM to scan this other log too, but isn't in the default list.

John

Thanks John but In /usr/local/directadmin/data/templates/logs.list I see /var/log/pureftpd.log=PureFTP Log

and in /etc/rsyslog.conf I have this
ftp.* -/var/log/pureftpd.log

Isn't supposed to work ?
 
I've added support for this in DA:

pre-release binaries are available now.

I believe the reason why that log was created is for the "AltLog" which never adds anything anyway. From the /etc/pure-ftpd.conf:
Code:
# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

AltLog                       stats:/var/log/pureftpd.log
which may fight with the syslogd entries.. but as long as they're all just appending to the log, any varying formats wouldn't hurt anything too badly (BFM parser skips lines it can't figure out).
So although I've added the id=2595 feature, you may want to comment out the "AltLog stats:/var/log/pureftpd.log" line to ensure there isn't any unexpected funny-business.

John
 
Thanks John,

Do we just need to add brute_force_pureftpd_log=/var/log/pureftpd.log to directadmin.conf and restart DA ?

Now I got other problem:
cd /usr/local/directadmin

/usr/local/directadmin/directadmin set brute_force_pureftpd_log=/var/log/pureftpd.log
Bind Error: Make sure there aren't any copies running in the background
Address already in use
If DirectAdmin is running, but you cannot connect to port xxx, check this guide:

I´ve change the DA port and it is working I can login but I am getting that error.

Other thread ?
 
Last edited:
It is:
/usr/local/directadmin/directadmin set name value

Not:
/usr/local/directadmin/directadmin set name=value
 
I already use this command before I just forgot to remove "=" .
Now I am getting this:
/usr/local/directadmin# /usr/local/directadmin/directadmin set brute_force_pureftpd_log /var/log/pureftpd.log
Error with the current values:
Cannot find 'brute&#95;force&#95;pureftpd&#95;log' in the directadmin.conf

After update directadmin.conf manually.
brute_force_pureftpd_log=/var/log/pureftpd.log in directadmin.conf but still get the same error with the directadmin set command.

Thanks
 
Back
Top