The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

pure ftp attempted login

Discussion in 'Security' started by keat63, Jan 14, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    In host access control I have ftp allowed for my home and work ip's and everything else is denied.

    Today, i saw a LFD for a PURE_FTP login
    The fact that they failed with a username would indicate that host access control didn't stop them.
    Am i doing something wrong ?

    Jan 14 18:25:07 server pure-ftpd: (?@71.6.135.131) [WARNING] Authentication failed for user [anonymous]
     
    #1 keat63, Jan 14, 2015
    Last edited: Jan 14, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can only control access to the ftpd daemon if you use the ProFTPD FTP server. This is because Pure-FTPd does not support TCP wrappers.

    Thank you.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks Michael.

    As i'm probably the only person who will ftp, i've changed the config to pro-ftp.
    Hopefully, this is another security hurdle.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    since changing from pure to pro-ftp, i'm now seeing lots of these messages.

    Jan 15 12:05:47 server proftpd[18958]: xxx.xx.xx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened.

    And then closed again very shortly afterwards.
    xxx.xx.xx.xxx is my server IP

    Any further ideas ?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's normal to see connections from 127.0.0.1 if you have monitoring enabled for that service via the "Service Manager" in Web Host Manager. It's checking to verify the service is up and running.

    Thank you.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    so is pure-ftp doing the same in the background, but not logging ?
    Pro-ftp was logging these every 10 minutes.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I see the same connection attempts with Pure-FTPd on a test machine in /var/log/messages. EX:

    Code:
    Jan 20 14:40:34 hostname pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Do you not see the same type of entries? Is monitoring enabled for Pure-FTPd in the Service Manager?

    Thank you.
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I can honestly say that if it were, then I never noticed them.
    If it's normal behaviour, i'll learn to ignore them.

    Thanks
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Is there a way to disable these.
    I'm getting hundreds of them every night.
    I'm starting to think, it might be easier just switching back to pure.

    Code:
    Jan 26 20:01:16 hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:01:16 hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:06:50 hostname proftpd[22168]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:06:50 hostname proftpd[22168]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:15:18 hostname proftpd[22313]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:15:18 hostname proftpd[22313]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:21:16 hostname proftpd[22442]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:21:16 hostname proftpd[22442]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:26:16 hostname proftpd[22532]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:26:16 hostname proftpd[22532]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:36:17 hostname proftpd[22702]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:36:17 hostname proftpd[22702]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:41:17 hostname proftpd[22805]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:41:17 hostname proftpd[22805]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:49:15 hostname proftpd[22919]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:49:15 hostname proftpd[22919]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
    Jan 26 20:56:18 hostname proftpd[23053]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    Jan 26 20:56:18 hostname proftpd[23053]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Those are normal connection attempts from Chkservd to verify ProFTPd is running well. You can disable monitoring for ProFtpd in the "Service Manager" if you don't want to see those entries.

    Thank you.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    if i disable monitoring, will this also disable monitoring of genuine logon attempts.
    I'd still like to be able to monitor pro-ftp, but kill these false session open, session closed messages.

    I guess, as i'm the only person using ftp on the server, i could disable or stop ftp altogether until i need it.
    Maybe something to look at in the future once i've settled in.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Those FTP sessions are how Chkservd verifies the service is up. Is this causing some sort of slowness or issues with FTP on your system? What exactly about those entries is a concern for you?

    Thank you.
     
  13. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The concern is the amount.

    Every hour, the server sends me an email, each one of these emails has a list of about 15-20 entries:
    hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

    So between 5pm and 8am the next day i have in excess of 20 emails and 200 x

    hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
    hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

    to scan through.
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where's the email coming from? CSF?
     
Loading...

Share This Page