Can proftpd be supported?

Post Reply
robm
Junior Member
Posts: 33
Joined: 20 Jan 2007, 20:44

Can proftpd be supported?

Post by robm »

Is it possible for proftpd to be supported for lfd monitoring and blocking?
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

You can add it yourself if you under stand perl regex handling in /etc/csf/regex.pm, otherwise i'll put it on the wishlist.
robm
Junior Member
Posts: 33
Joined: 20 Jan 2007, 20:44

Post by robm »

chirpy wrote:You can add it yourself if you under stand perl regex handling in /etc/csf/regex.pm, otherwise i'll put it on the wishlist.
Thanks. If you need any bad login strings for it, just let me know.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

If you can quote failure strings within CODE tags in this thread I'll see what I can do. Oh, also mention which file they're logged to plus your OS.
robm
Junior Member
Posts: 33
Joined: 20 Jan 2007, 20:44

Post by robm »

RHEL 4.4, /var/log/secure

Code: Select all

Jan 22 09:29:14 blue proftpd[13139]: blue.servername.com (se2-scan01.scanalert.com[209.67.114.32]) - USER bogusbogus: no such user found from se2-scan01.scanalert.com [209.67.114.32] to 69.94.108.88:21
Jan 22 09:29:39 blue proftpd[13186]: blue.servername.com (se2-scan01.scanalert.com[209.67.114.32]) - USER nobody (Login failed): Incorrect password.
footprintmediauk
Junior Member
Posts: 3
Joined: 09 Dec 2007, 12:07

Not working for me...

Post by footprintmediauk »

Hi,

I have attempted to configure CSF v 2.94 for ProFTPD, but it is not monitoring failed logins.

I have the following in my /etc/csf/csf.conf file:

Code: Select all

FTPD_LOG = "/var/log/proftpd/proftpd_system.log"
And in that log file, a typical blocked login entry looks like this:

Code: Select all

Dec 09 13:17:58 server1.theserver.org proftpd[30058] server1.theserver.org (vps.thehacker.net[123.456.789.012]): PAM(username): Authentication failure.
I tried adjusting the file /etc/csf/regex.pm:

Code: Select all

#proftpd
	if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($bits[4] =~ /^proftpd/) and ($line =~ /*.no such user.*/) and ($bits[6] =~ /(\d+\.\d+\.\d+\.\d+)/)) {
		return ("Failed FTP login from",$1,"ftpd");
	}
	if (($config{LF_FTPD}) and ($lgfile eq $config{FTPD_LOG}) and ($bits[4] =~ /^proftpd/) and ($line =~ /*.Authentication failure.*/) and ($bits[6] =~ /(\d+\.\d+\.\d+\.\d+)/)) {
		return ("Failed FTP login from",$1,"ftpd");
	}
Please can you help and tell me what else I need to do?

Many thanks!
footprintmediauk
Junior Member
Posts: 3
Joined: 09 Dec 2007, 12:07

Post by footprintmediauk »

Fixed the problem - for some reason restarting CSF wasn't enough to reload the config file - I could see in the log that the ProFTPD log was not being watched. I restarted the server and the log was added to the watch list and it started blocking IP addresses for failed logins.

Great!
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

You have to restart csf and lfd. lfd is the more important since it's that process that uses the regex's for login failure tracking.
footprintmediauk
Junior Member
Posts: 3
Joined: 09 Dec 2007, 12:07

Post by footprintmediauk »

Thanks Chirpy - I didn't realise they had separate init scripts!
Post Reply