pure ftp attempted login

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
In host access control I have ftp allowed for my home and work ip's and everything else is denied.

Today, i saw a LFD for a PURE_FTP login
The fact that they failed with a username would indicate that host access control didn't stop them.
Am i doing something wrong ?

Jan 14 18:25:07 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

You can only control access to the ftpd daemon if you use the ProFTPD FTP server. This is because Pure-FTPd does not support TCP wrappers.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Thanks Michael.

As i'm probably the only person who will ftp, i've changed the config to pro-ftp.
Hopefully, this is another security hurdle.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
since changing from pure to pro-ftp, i'm now seeing lots of these messages.

Jan 15 12:05:47 server proftpd[18958]: xxx.xx.xx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened.

And then closed again very shortly afterwards.
xxx.xx.xx.xxx is my server IP

Any further ideas ?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
It's normal to see connections from 127.0.0.1 if you have monitoring enabled for that service via the "Service Manager" in Web Host Manager. It's checking to verify the service is up and running.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
so is pure-ftp doing the same in the background, but not logging ?
Pro-ftp was logging these every 10 minutes.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I see the same connection attempts with Pure-FTPd on a test machine in /var/log/messages. EX:

Code:
Jan 20 14:40:34 hostname pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
Do you not see the same type of entries? Is monitoring enabled for Pure-FTPd in the Service Manager?

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I can honestly say that if it were, then I never noticed them.
If it's normal behaviour, i'll learn to ignore them.

Thanks
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
Is there a way to disable these.
I'm getting hundreds of them every night.
I'm starting to think, it might be easier just switching back to pure.

Code:
Jan 26 20:01:16 hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:01:16 hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:06:50 hostname proftpd[22168]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:06:50 hostname proftpd[22168]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:15:18 hostname proftpd[22313]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:15:18 hostname proftpd[22313]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:21:16 hostname proftpd[22442]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:21:16 hostname proftpd[22442]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:26:16 hostname proftpd[22532]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:26:16 hostname proftpd[22532]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:36:17 hostname proftpd[22702]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:36:17 hostname proftpd[22702]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:41:17 hostname proftpd[22805]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:41:17 hostname proftpd[22805]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:49:15 hostname proftpd[22919]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:49:15 hostname proftpd[22919]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:56:18 hostname proftpd[23053]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:56:18 hostname proftpd[23053]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Those are normal connection attempts from Chkservd to verify ProFTPd is running well. You can disable monitoring for ProFtpd in the "Service Manager" if you don't want to see those entries.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
if i disable monitoring, will this also disable monitoring of genuine logon attempts.
I'd still like to be able to monitor pro-ftp, but kill these false session open, session closed messages.

I guess, as i'm the only person using ftp on the server, i could disable or stop ftp altogether until i need it.
Maybe something to look at in the future once i've settled in.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Those FTP sessions are how Chkservd verifies the service is up. Is this causing some sort of slowness or issues with FTP on your system? What exactly about those entries is a concern for you?

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
The concern is the amount.

Every hour, the server sends me an email, each one of these emails has a list of about 15-20 entries:
hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

So between 5pm and 8am the next day i have in excess of 20 emails and 200 x

hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

to scan through.