I'm using pureftpd and fail2ban but is not working. It seems is able to read the log but the fail2ban.filter event is not triggered. I investigated a lot about all the possible problems and I already did a lot of checks but I don't know why this is not working. I'll start putting my configs, logs and what I did. Before, I must say I already have on the same maching running ok fail2ban against apache and ssh. The problem is only happening with pureftpd.:
on my /etc/fail2ban/jail.local
[pureftpd]
enabled = true
port = 21
filter = pure-ftpd
logpath = /var/log/messages
backend = polling
maxretry = 5
I changed this thousands of times (restarting fail2ban daemon after each change of course). Tested port = ftp instead of port = 21 seems to have the same result. I tried using backend = auto or removing backend statement... same result.
My /var/log/messages is receiving ok the attemps of login into the ftp, some lines as example:
Aug 3 08:31:01 88a4998e8b37 pure-ftpd: (?@192.168.0.159) [INFO] New connection from 192.168.0.159
Aug 3 08:31:09 88a4998e8b37 pure-ftpd: (?@192.168.0.159) [WARNING] Authentication failed for user [testinguser]
My /etc/fail2ban/filter.d/pure-ftpd.conf:
[Definition]
__errmsg = Authentication failed for user
failregex = pure-ftpd: \(\?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
ignoreregex =
I tested this doing fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/pure-ftpd.conf and it returns a lot of hits, so I think is working.
I also put fail2ban into debug mode, and this is the log while a user connect and tries to login failing:
2017-08-03 03:31:10,163 fail2ban.filterpoll [4429]: DEBUG /var/log/messages has been modified
2017-08-03 03:31:10,164 fail2ban.datedetector [4429]: DEBUG Matched time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2017-08-03 03:31:10,165 fail2ban.datedetector [4429]: DEBUG Got time 1470231069.000000 for "'Aug 3 08:31:09'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2017-08-03 03:31:10,165 fail2ban.datedetector [4429]: DEBUG Sorting the template list
2017-08-03 03:31:10,166 fail2ban.datedetector [4429]: DEBUG Winning template: (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? with 2 hits
So it is detecting the file is changing but the filter is not triggered. Why?
Comparing with my other fail2ban services working (apache for example), I saw in the logs a difference... when it works a lines likes these appears in the logs:
2017-08-03 03:43:37,024 fail2ban.filterpoll [4429]: DEBUG /var/log/apache2/error.log has been modified
2017-08-03 03:43:37,025 fail2ban.datedetector [4429]: DEBUG Matched time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2017-08-03 03:43:37,026 fail2ban.datedetector [4429]: DEBUG Got time 1501767816.000000 for "'Thu Aug 03 08:43:36.224686 2017'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2017-08-03 03:43:37,026 fail2ban.filter [4429]: DEBUG Processing line with time:1501767816.0 and ip:192.168.0.154
2017-08-03 03:43:37,027 fail2ban.filter [4429]: INFO [apache] Found 192.168.0.154
So, everything seems similar checking the files... it gets the time but nothing triggered after that. What can be happening? Somebody experienced this before? Thank you.
