These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Anyone using CSF/LFD firewall with Virtualmin? on the new forum.
Web Hosting and Cloud Computing Control Panels
I use CSF with Virtualmin... but can't find any file that has the word "LogFormat" in it.
Is your LFD blocking failed FTP logins?
The LogFormat is within the proFTPD configuration file /etc/proftpd.conf.
I have not touched the original files of the OS or the CSF/LFD
Please let me know. tnx
I explained this about a month ago, see here:
https://www.virtualmin.com/node/13841#comment-124467
Unfortunately, comment linking (like so many other things) doesn't work properly on this forum. Please scroll down to my post dated "2013-11-14 11:24".
Thank you for that. Very helpful.
My ftp logging was done in /var/log/messages so I switched that to /var/log/proftpd/proftpd.log and declared it within the CSF configuration. LFD is now watching that file instead.
By the way do you know why the IPs are showing with the ::ffff: in front? >>>
Nov 26 16:02:52 myhost.mydomain.com proftpd[7915] 1.1.1.1 (::ffff:2.2.2.2[::ffff:2.2.2.2]): FTP session closed.
where 1.1.1.1 is my server IP & 2.2.2.2 is the client IP connecting via FTP
Locutus,
I have an update on this. I have enabled watching this log for banning failed FTP logins: FTPD_LOG = "/var/log/proftpd/proftpd.log", however although IT DOES block successfully failed FTP logins of UNKNOWN users, it does not block failed ftp logins of existing users and WRONG password.
Can you please confirm if your setup is actually blocking both?
As a reminder only, I am using Centos 6.4, CSF/LFD latest 6.38 with default code (nothing changed apart from the FTPD_LOG value) and ProFTPD 1.33 (as installed by virtualmin script).
The failed login inside the log appears as follows:
where 1.1.1.1 is the server IP and 2.2.2.2 is the client connecting.
@netizen: You are right, there seems to be an error in LFD's default regular expressions for ProFTPD.
You can fix that by going to
/usr/local/csf/bin/regex.pm, find the line that says "USER (\S*) (Login failed): Incorrect password" under the ProFTPD block, and remove the dash and the space before the word USER.Thank you very much Locutus. This was INDEED the solution.
By the way, do you know what is the following regex protecting from?
if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - SECURITY VIOLATION/)) { $ip = $2; $acc = ""; $ip =~ s/^::ffff://; $acc =~ s/:$//g; if (&checkip($ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}I would like if possible to emulate that condition in order to check if it will be banned from CSF/LFD.
Well, seemingly it triggers when ProFTPD logs the text "SECURITY VIOLATION". I don't know though under which circumstances it does that - Google might know the answer. ;)