Page 1 of 1
fail2ban does not detect failed attempts (proftpd)
Posted: Sat 15. Nov 2025, 17:10
by Pedrope
Hi everyone, I've had KeyHelp Panel installed for about 4 months and fail2ban isn't detecting failed login attempts via ProFTPD.
S.O: Debian 12.12
Keyhelp : 25.2
PHP : 8.2.29
Filter (default)
[kh-ftp]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
backend = systemd
maxretry = 4
journalctl -u proftpd.service -p err
It's not showing anything.
journalctl -u proftpd.service | grep -i "login failed"
Oct 25 04:46:06 orka.extra.com proftpd[322428]: orka.extra.com (213.230.125.66[213.230.125.66]) - USER ftp (Login failed): Incorrect password
Nov 08 20:31:55 orka.extra.com proftpd[353826]: orka.extra.com (169.150.196.207[169.150.196.207]) - USER ftp (Login failed): Incorrect password
Nov 08 20:31:59 orka.extra.com proftpd[353827]: orka.extra.com (169.150.196.207[169.150.196.207]) - USER ftp (Login failed): Incorrect password
It only shows some logs; it doesn't show all the failed attempts I've made.
Where can I see the log of failed attempts?
Thanks in advance
PedroP
Re: fail2ban does not detect failed attempts (proftpd)
Posted: Mon 17. Nov 2025, 16:10
by Alexander
Hello,
It works fine on my test Debian 12 machine.
journalctl -u proftpd.service -f
Code: Select all
Nov 17 16:01:06 dev24.keymachine.de proftpd[3173004]: dev24.keymachine.de (h-87.***.***.***.keyweb.de[87.***.***.***]) - USER bla: no such user found from h-87.***.***.***.keyweb.de [87.***.***.***] to ::ffff:62.***.***.***:21
Nov 17 16:02:20 dev24.keymachine.de proftpd[3173586]: dev24.keymachine.de (h-87.***.***.***.keyweb.de[87.***.***.***]) - USER test (Login failed): Incorrect password
tail -f /var/log/fail2ban.log
Code: Select all
2025-11-17 16:01:07,285 fail2ban.filter [457]: INFO [kh-ftp] Found 87.***.***.*** - 2025-11-17 16:01:07
2025-11-17 16:02:21,036 fail2ban.filter [457]: INFO [kh-ftp] Found 87.***.***.*** - 2025-11-17 16:02:21
You might want to check if the filter is identical to the default for Debian 12 systems - /etc/fail2ban/filter.d/proftpd.conf:
Code: Select all
# Fail2Ban filter for the Proftpd FTP daemon
#
# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
# See: http://www.proftpd.org/docs/howto/DNS.html
# When the default locale for your system is not en_US.UTF-8
# on Debian-based systems be sure to add this to /etc/default/proftpd
# export LC_TIME="en_US.UTF-8"
[INCLUDES]
before = common.conf
[Definition]
_daemon = proftpd
__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)
prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$
failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
^Maximum login attempts \(\d+\) exceeded
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=proftpd.service
# Author: Yaroslav Halchenko
# Daniel Black - hardening of regex
Which jails are enabled?
Re: fail2ban does not detect failed attempts (proftpd) [SOLVED]
Posted: Mon 17. Nov 2025, 21:32
by Pedrope
Thanks Alexander, I checked the filter and it was different
Code: Select all
failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
^Maximum login attempts \(\d+\) exceeded
^\S+ proftpd\[\d+\]: .* - USER \S+: no such user found from .* \[<HOST>\] to .+$
I replaced it and now it filters well
fail2ban-client status
Status
|- Number of jail: 10
`- Jail list: kh-database, kh-dovecot, kh-ftp, kh-phpmyadmin, kh-postfix, kh-postfix-sasl, kh-recidive, kh-roundcube, kh-snappymail, sshd
Thank you, and please mark this as solved.
Pedrope