fail2ban does not detect failed attempts (proftpd)

[Pedrope]

Hi everyone, I've had KeyHelp Panel installed for about 4 months and fail2ban isn't detecting failed login attempts via ProFTPD.
S.O: Debian 12.12
Keyhelp : 25.2
PHP : 8.2.29

Filter (default)

[kh-ftp]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
backend = systemd
maxretry = 4

journalctl -u proftpd.service -p err

It's not showing anything.

journalctl -u proftpd.service | grep -i "login failed"
Oct 25 04:46:06 orka.extra.com proftpd[322428]: orka.extra.com (213.230.125.66[213.230.125.66]) - USER ftp (Login failed): Incorrect password
Nov 08 20:31:55 orka.extra.com proftpd[353826]: orka.extra.com (169.150.196.207[169.150.196.207]) - USER ftp (Login failed): Incorrect password
Nov 08 20:31:59 orka.extra.com proftpd[353827]: orka.extra.com (169.150.196.207[169.150.196.207]) - USER ftp (Login failed): Incorrect password

It only shows some logs; it doesn't show all the failed attempts I've made.

Where can I see the log of failed attempts?

Thanks in advance

PedroP

[Alexander]

Hello,

It works fine on my test Debian 12 machine.

journalctl -u proftpd.service -f

Code: Select all

Nov 17 16:01:06 dev24.keymachine.de proftpd[3173004]: dev24.keymachine.de (h-87.***.***.***.keyweb.de[87.***.***.***]) - USER bla: no such user found from h-87.***.***.***.keyweb.de [87.***.***.***] to ::ffff:62.***.***.***:21

Nov 17 16:02:20 dev24.keymachine.de proftpd[3173586]: dev24.keymachine.de (h-87.***.***.***.keyweb.de[87.***.***.***]) - USER test (Login failed): Incorrect password

tail -f /var/log/fail2ban.log

Code: Select all

2025-11-17 16:01:07,285 fail2ban.filter         [457]: INFO    [kh-ftp] Found 87.***.***.*** - 2025-11-17 16:01:07

2025-11-17 16:02:21,036 fail2ban.filter         [457]: INFO    [kh-ftp] Found 87.***.***.*** - 2025-11-17 16:02:21

You might want to check if the filter is identical to the default for Debian 12 systems - /etc/fail2ban/filter.d/proftpd.conf:

Code: Select all

# Fail2Ban filter for the Proftpd FTP daemon
#
# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
# See: http://www.proftpd.org/docs/howto/DNS.html
# When the default locale for your system is not en_US.UTF-8
# on Debian-based systems be sure to add this to /etc/default/proftpd
# export LC_TIME="en_US.UTF-8"

[INCLUDES]

before = common.conf

[Definition]

_daemon = proftpd

__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)


prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$


failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
            ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
            ^Maximum login attempts \(\d+\) exceeded

ignoreregex = 

[Init]
journalmatch = _SYSTEMD_UNIT=proftpd.service

# Author: Yaroslav Halchenko
#         Daniel Black - hardening of regex

Which jails are enabled?

Code: Select all

fail2ban-client status

[Pedrope]

Thanks Alexander, I checked the filter and it was different

Code: Select all

failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
                ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
                ^Maximum login attempts \(\d+\) exceeded
               ^\S+ proftpd\[\d+\]: .* - USER \S+: no such user found from .* \[<HOST>\] to .+$

I replaced it and now it filters well

fail2ban-client status
Status
|- Number of jail: 10
`- Jail list: kh-database, kh-dovecot, kh-ftp, kh-phpmyadmin, kh-postfix, kh-postfix-sasl, kh-recidive, kh-roundcube, kh-snappymail, sshd

Thank you, and please mark this as solved.

Pedrope