ProFTP logs & fail2ban

LawsHosting

LawsHosting

Verified User
Joined
Sep 13, 2008
Messages
2,405
Location
London UK
The ProFTP log (/var/log/proftpd/auth.log) doesn't include anything interesting for fail2ban filters to work with
proftpd.conf said:
ExtendedLog /var/log/proftpd/auth.log AUTH auth
Click to expand...
/var/log/proftpd/auth.log said:
ProFTPd [10517] <IP> [20/May/2015:10:53:11 +0100] "USER guest123" 331
ProFTPd [10517] <IP> [20/May/2015:10:53:12 +0100] "PASS (hidden)" 530
Click to expand...
while /var/log/auth.log does include one of the f2b's regex:
/var/log/auth.log said:
proftpd[12040]: <SERVER IP> (<IP>[<IP>]) - USER <USER>: no such user found from <IP> [<IP> to ::ffff:<SITE IP>:21
Click to expand...

Here is the proftpd filter for fail2ban
Code: 
\(\S+\[<HOST>\]\)[: -]+ - USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$

Basically, why does /var/log/proftpd/auth.log only include the login details and not the failed details too?

This needs work too as f2b doesn't catch anything:
Code: 
\(\S+\[<HOST>\]\)[: -]+ - USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$
 
It depends on where things are written. On my server with proftpd, the failed proftp logins are written to /var/log/secure.
Maybe you can point your fail2ban check to that logfile.
 
/var/log/messages is my equivalent, it doesn't log anything "auth"..... /var/log/syslog might though.

Nope.... Nothing

Edit:

So, after some time, these regex work:
Code: 
[B]^(.)+proftpd(.)+\[<HOST>\](.)*no such user found from (.)* to (.)*$
[/B]        ^(.)+proftpd(.)+\[<HOST>\](.)*USER(.)*Login failed(.)*Incorrect password(.)*$
        ^(.)+proftpd(.)+\[<HOST>\](.)*SECURITY VIOLATION:(.)*login attempted(.)*$
        ^(.)+proftpd(.)+\[<HOST>\](.)*Maximum login attempts(.)*exceeded(.)*$
against /var/log/auth.log
 
Last edited:
Strange. I wonder... because I also have in auth.log the 2 lines you stated in the first post.
Nothing with "violation" or "attempts" or "failed" in it.

But I'm glad you figured it out.
 
You must log in or register to reply here.
Back
Top