dennispiet
New member
- Joined
- Nov 11, 2017
- Messages
- 3
I recently succesfully upgraded my VPS from Centos 7 to Almalinux 9.
After a while I noticed both Brute Force Monitor ans CSF/LFD didn't report any hits on Proftpd anymore. Normally there would be multiple hits per day.
After investigating I found the filters from brute_filter.list and the main regex from CSF/LFD do not match the loglines in Rsyslog, because of the double timestamps.
My Proftpd log entries look like this:
Jan 31 11:13:54 server proftpd[74229]: 2025-01-31 11:13:54,514 server proftpd[74229] 185.x.x.x (188.y.y.y[188.y.y.y]): USER debokkensp: no such user found from 188.y.y.y [188.y.y.y] to 185.x.x.x:21
In an attempt to get rid of the extra timestamp (2025-01-31 11:13:54,514 server proftpd[74229]), I did:
rm -rf /etc/rsyslog.conf
dnf reinstall rsyslog
rm -rf /etc/proftpd.conf
da build proftpd
So now I'm sure I have the default config for both rsyslog and proftpd. Still the double timestamps show up in /var/log/messages and therefore BFM and CSF/LFD do not find ftp attacks.
What else could I possibly do to get log entries that BFM and CSF/LFD recognize? Of course I could change brute_filter.list and RegexMain.pm, but I would rather solve the cause.
After a while I noticed both Brute Force Monitor ans CSF/LFD didn't report any hits on Proftpd anymore. Normally there would be multiple hits per day.
After investigating I found the filters from brute_filter.list and the main regex from CSF/LFD do not match the loglines in Rsyslog, because of the double timestamps.
My Proftpd log entries look like this:
Jan 31 11:13:54 server proftpd[74229]: 2025-01-31 11:13:54,514 server proftpd[74229] 185.x.x.x (188.y.y.y[188.y.y.y]): USER debokkensp: no such user found from 188.y.y.y [188.y.y.y] to 185.x.x.x:21
In an attempt to get rid of the extra timestamp (2025-01-31 11:13:54,514 server proftpd[74229]), I did:
rm -rf /etc/rsyslog.conf
dnf reinstall rsyslog
rm -rf /etc/proftpd.conf
da build proftpd
So now I'm sure I have the default config for both rsyslog and proftpd. Still the double timestamps show up in /var/log/messages and therefore BFM and CSF/LFD do not find ftp attacks.
What else could I possibly do to get log entries that BFM and CSF/LFD recognize? Of course I could change brute_filter.list and RegexMain.pm, but I would rather solve the cause.