[Fail2ban] Filter not working for proftpd

    I am trying to get fail2ban to work with proftpd. I used the default config without success. I then tried this hint: https://stackoverflow.com/ques…/regexp-proftpd-auth-logs which SHOULD work. Testing it with https://regex101.com worked (replacing "<HOST>" to look for anything + using "%a" instead of "%h" to get the ip adress).


    log file

    Code
    hostname [19/Mär/2021:22:43:19 +0000] "PASS (hidden)" [111.111.111.111] 530

    filter

    Code
    failregex = \[<HOST>\]\s+530$


    Trying the filter with fail2ban-regex always returns 0 matches.


    I looked around the forum using fail2ban + proftpd as the search input but wasn't very successful. Maybe othere faced the same issue?

    Please present the full filter file. If I test this regex on this specific log line with fail2ban-regex, it matches. This log format actually also looks odd to me. So I'm pretty sure you cannot just adjust the failregex. You have to adjust a lot more in the filter. Or you are going to use a standard log format.

    dleidert thanks for the quick reply.


    How did you match it? If I try to match it, I don't get a result:


    My fail2ban

    Code
    root@aries:/etc/fail2ban# fail2ban-client --version
Fail2Ban v0.10.2


    My filter looks simple


    I am more than happy to use the default logfile, but in standard OMV5 it's empty (/var/log/proftpd/proftpd.log) that's why I opted for the custom logfile.

    Got it!


    In /var/log/fail2ban.log I found that the date pattern wasn't recognized correctly, therefore the match was not counted.


    Code
    2021-03-19 23:15:16,514 fail2ban.filter         [24451]: WARNING Found a match for 'host [19/Mär/2021:23:15:16 +0000] "PASS (hidden)" [1.1.1.1] 53 no valid date/time found for 'host [19/Mär/2021:23:15:16 +0000] "PASS (hidden)" [1.1.1.1] 530'. Please try setting a custom date pattern (see manjail.conf(5)). If format is complex, please file a detailed issue on https://github.com/fail2ban/fail2ban/issues in order to get support for this format.


    I now use SystemLog (but had to define the logfile in OMV..)


    OMV Extended Options for FTP:

    Code
    # Record all logins
UseReverseDNS off
SystemLog          /var/log/proftpd/proftpd.log


    Filter


    Jail

    Code
    [proftd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpdneu
logpath  = /var/log/proftpd/proftpd.log
maxretry = 3
action = iptables-allports[actname=proftpd,name=proftpd,protocol=all]
         iptables-allports[actname=proftpd-docker,name=proftpd-docker,protocol=all,chain=DOCKER]



    This finally gives me

    Code
    021-03-20 12:43:31,590 fail2ban.filter         [11215]: INFO    [proftd] Found 1.1.1.1 - 2021-03-20 12:41:16
2021-03-20 12:43:31,593 fail2ban.filter         [11215]: INFO    [proftd] Found 1.1.1.1  - 2021-03-20 12:42:23
2021-03-20 12:43:31,595 fail2ban.filter         [11215]: INFO    [proftd] Found 1.1.1.1  - 2021-03-20 12:42:32
2021-03-20 12:43:31,597 fail2ban.filter         [11215]: INFO    [proftd] Found 1.1.1.1  - 2021-03-20 12:42:37
2021-03-20 12:43:31,599 fail2ban.filter         [11215]: INFO    [proftd] Found 1.1.1.1  - 2021-03-20 12:42:40
2021-03-20 12:43:31,751 fail2ban.actions        [11215]: NOTICE  [proftd] Ban 1.1.1.1

  • raws99

    Hat das Label gelöst hinzugefügt.
    Zitat von raws99

    How did you match it? If I try to match it, I don't get a result:

    Interestingly this indeed fails in Buster. With the version in Sid it works.


    Zitat von raws99

    I am more than happy to use the default logfile, but in standard OMV5 it's empty (/var/log/proftpd/proftpd.log) that's why I opted for the custom logfile.

    Maybe it is logging to the standard facilities like syslog and/or daemon.log?

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden