Can proftpd be supported?

robm · Post by **robm** » 20 Jan 2007, 20:45

Is it possible for proftpd to be supported for lfd monitoring and blocking?

Post by **chirpy** » 21 Jan 2007, 10:33

You can add it yourself if you under stand perl regex handling in /etc/csf/regex.pm, otherwise i'll put it on the wishlist.

robm · Post by **robm** » 21 Jan 2007, 15:31

chirpy wrote:You can add it yourself if you under stand perl regex handling in /etc/csf/regex.pm, otherwise i'll put it on the wishlist.

Thanks. If you need any bad login strings for it, just let me know.

Post by **chirpy** » 22 Jan 2007, 11:29

If you can quote failure strings within CODE tags in this thread I'll see what I can do. Oh, also mention which file they're logged to plus your OS.

robm · Post by **robm** » 22 Jan 2007, 15:11

RHEL 4.4, /var/log/secure

Code: Select all

Jan 22 09:29:14 blue proftpd[13139]: blue.servername.com (se2-scan01.scanalert.com[209.67.114.32]) - USER bogusbogus: no such user found from se2-scan01.scanalert.com [209.67.114.32] to 69.94.108.88:21
Jan 22 09:29:39 blue proftpd[13186]: blue.servername.com (se2-scan01.scanalert.com[209.67.114.32]) - USER nobody (Login failed): Incorrect password.

footprintmediauk · Post by **footprintmediauk** » 09 Dec 2007, 13:32

Hi,

I have attempted to configure CSF v 2.94 for ProFTPD, but it is not monitoring failed logins.

I have the following in my /etc/csf/csf.conf file:

Code: Select all

FTPD_LOG = "/var/log/proftpd/proftpd_system.log"

And in that log file, a typical blocked login entry looks like this:

Code: Select all

Dec 09 13:17:58 server1.theserver.org proftpd[30058] server1.theserver.org (vps.thehacker.net[123.456.789.012]): PAM(username): Authentication failure.

I tried adjusting the file /etc/csf/regex.pm:

Code: Select all

#proftpd
	if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($bits[4] =~ /^proftpd/) and ($line =~ /*.no such user.*/) and ($bits[6] =~ /(\d+\.\d+\.\d+\.\d+)/)) {
		return ("Failed FTP login from",$1,"ftpd");
	}
	if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($bits[4] =~ /^proftpd/) and ($line =~ /*.Authentication failure.*/) and ($bits[6] =~ /(\d+\.\d+\.\d+\.\d+)/)) {
		return ("Failed FTP login from",$1,"ftpd");
	}

Please can you help and tell me what else I need to do?

Many thanks!

footprintmediauk · Post by **footprintmediauk** » 09 Dec 2007, 16:49

Fixed the problem - for some reason restarting CSF wasn't enough to reload the config file - I could see in the log that the ProFTPD log was not being watched. I restarted the server and the log was added to the watch list and it started blocking IP addresses for failed logins.

Great!

Post by **chirpy** » 10 Dec 2007, 10:23

You have to restart csf and lfd. lfd is the more important since it's that process that uses the regex's for login failure tracking.

footprintmediauk · Post by **footprintmediauk** » 10 Dec 2007, 16:21

Thanks Chirpy - I didn't realise they had separate init scripts!

ConfigServer Community Forum

Can proftpd be supported?

Can proftpd be supported?

Not working for me...