ConfigServer Community Forum

Posted: **07 May 2009, 10:16**

Hello,
On one CentOS 5.3 64-bit, the proftpd log lines have IP prefixed with "::ffff:", this seems to cause non detection of incorrect ftp login
(/etc/csf/regex.pm ?) :

Code: Select all

/var/log/secure (lfd detection does NOT work)
May  7 10:49:04 vmcentos64 proftpd[9810]: vmcentos64.example.com (::ffff:192.168.0.2[::ffff:192.168.0.2]) - USER xxx: no such user found from ::ffff:192.168.0.2 [::ffff:192.168.0.2] to ::ffff:192.168.0.100:21
May  7 10:49:06 vmcentos64 proftpd[9810]: vmcentos64.example.com (::ffff:192.168.0.2[::ffff:192.168.0.2]) - FTP session closed.
May  6 22:57:49 vmcentos64 proftpd[3772]: vmcentos64.example.com (::ffff:192.168.0.2[::ffff:192.168.0.2) - USER yyy (Login failed): Incorrect password.

On this CentOS 5.3 64-bit, lfd detection is OK:

Code: Select all

/var/log/secure (lfd detection works)
May  7 10:49:04 vmcentos64 proftpd[9810]: vmcentos64.example.com (192.168.0.2[192.168.0.2]) - USER xxx: no such user found from 192.168.0.2 [192.168.0.2] to 192.168.0.100:21
May  7 10:49:06 vmcentos64 proftpd[9810]: vmcentos64.example.com (192.168.0.2[192.168.0.2]) - FTP session closed.
May  6 22:57:49 vmcentos64 proftpd[3772]: vmcentos64.example.com (192.168.0.2[192.168.0.2) - USER yyy (Login failed): Incorrect password.

1)
Could lfd be updated to take into account both IP formats ?
Or if unfortunately this cannot be done, how can I use custom.regex.pm to handle this? I am not very familiar with regular expressions
so if there are some snippet codes it would be welcome.

2)
Is there an explanation why does proftpd use "::ffff:" prefix?

Thank you.

Posted: **07 May 2009, 10:17**

It's dependent on whether you have ipv6 enabled in your network settings on the server. I'll add the issue for investigation.

ConfigServer Community Forum

proftpd: IP logged with ::ffff: prefix so no detection

proftpd: IP logged with ::ffff: prefix so no detection