This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Proftpd and fail2ban

6 posts / 0 new

Topic locked

Last post

#1 Tue, 11/15/2011 - 05:08

jeromelpv

Proftpd and fail2ban

Hello,

I can't have fail2ban working with propftpd.

The reason is the strange date format in proftpd.log, for instance:

nov. 13 14:40:33 sd-25139 proftpd[16300] XXX.YYY.ZZZ (sd-24052.dedibox.fr[::ffff:88.191.132.29]): SECURITY VIOLATION: root login attempted.

The dot in nov. is guilty.

Is it any way to correct-it?

#2 Tue, 11/15/2011 - 08:50

andreychek

Howdy,

It should be using the "Nov 13" format by default.

ProFTPd typically logs directly to /var/log/proftpd.log, rather than going through syslog -- so you may want to review your ProFTPd config file to see if there's something in there that's causing the problem you're seeing.

That would be located in /etc/proftpd/proftpd.conf.

-Eric

#3 Tue, 11/15/2011 - 09:01 (Reply to #2)

jeromelpv

I have changed Default by auth in Webmin/ProFTPD Server/Logging Options/System log facility combobox and now the format date is OK.

#4 Thu, 12/01/2011 - 03:04 (Reply to #3)

jeromelpv

The problem remains, any time proftpd restarts, it uses the weird defauft log format, for instance this morning (an unattended restart, logrotate??):

Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr: ProFTPD killed (signal 15)

Dec 01 06:25:03 sd-25139 proftpd[29022] sd-25139.dedibox.fr: ProFTPD 1.3.3a standalone mode SHUTDOWN

dÃ©c. 01 06:25:04 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP

I am oblige to restart it from Webmin to restore a correct log format

dÃ©c. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD killed (signal 15)

dÃ©c. 01 09:39:24 sd-25139 proftpd[23136] sd-25139.dedibox.fr: ProFTPD 1.3.3a standalone mode SHUTDOWN

Dec 01 09:39:25 sd-25139 proftpd[2016] sd-25139.dedibox.fr: ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP

Which config proftpd uses it when it restarts?

/etc/proftpd/proftpd.conf ends with:

SyslogFacility auth

#5 Sat, 12/03/2011 - 18:43

andreychek

Howdy,

Yeah, it should use "/etc/proftpd/proftpd.conf " by default.

If you run "ps auxw | grep proftp", if you don't see it running with a -c parameter specifying a non-default config file, it should use the default.

Then, you can run "proftpd -V" to verify what config file it's hard-coded to use.

-Eric

#6 Mon, 12/05/2011 - 08:40 (Reply to #5)

jeromelpv

It was a locale issue, proftpd/Default has some problem with fr_FR.UTF-8

The solution I have found:

1) I have added en_US.UTF-8 to my server

2) I have added the line:

export LANG="en_US.UTF-8"

to /etc/init.d/proftpd

Topic locked