pure ftp attempted login

[keat63]

In host access control I have ftp allowed for my home and work ip's and everything else is denied.

Today, i saw a LFD for a PURE_FTP login
The fact that they failed with a username would indicate that host access control didn't stop them.
Am i doing something wrong ?

Jan 14 18:25:07 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]

 

[cPanelMichael]

Hello

You can only control access to the ftpd daemon if you use the ProFTPD FTP server. This is because Pure-FTPd does not support TCP wrappers.

Thank you.

 

[keat63]

Thanks Michael.

As i'm probably the only person who will ftp, i've changed the config to pro-ftp.
Hopefully, this is another security hurdle.

 

[keat63]

since changing from pure to pro-ftp, i'm now seeing lots of these messages.

Jan 15 12:05:47 server proftpd[18958]: xxx.xx.xx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened.

And then closed again very shortly afterwards.
xxx.xx.xx.xxx is my server IP

Any further ideas ?

 

[cPanelMichael]

It's normal to see connections from 127.0.0.1 if you have monitoring enabled for that service via the "Service Manager" in Web Host Manager. It's checking to verify the service is up and running.

Thank you.

 

[keat63]

so is pure-ftp doing the same in the background, but not logging ?
Pro-ftp was logging these every 10 minutes.

 

[cPanelMichael]

I see the same connection attempts with Pure-FTPd on a test machine in /var/log/messages. EX:

Jan 20 14:40:34 hostname pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1

Do you not see the same type of entries? Is monitoring enabled for Pure-FTPd in the Service Manager?

Thank you.

 

[keat63]

I can honestly say that if it were, then I never noticed them.
If it's normal behaviour, i'll learn to ignore them.

Thanks

 

[keat63]

Is there a way to disable these.
I'm getting hundreds of them every night.
I'm starting to think, it might be easier just switching back to pure.

Jan 26 20:01:16 hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:01:16 hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:06:50 hostname proftpd[22168]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:06:50 hostname proftpd[22168]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:15:18 hostname proftpd[22313]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:15:18 hostname proftpd[22313]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:21:16 hostname proftpd[22442]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:21:16 hostname proftpd[22442]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:26:16 hostname proftpd[22532]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:26:16 hostname proftpd[22532]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:36:17 hostname proftpd[22702]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:36:17 hostname proftpd[22702]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:41:17 hostname proftpd[22805]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:41:17 hostname proftpd[22805]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:49:15 hostname proftpd[22919]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:49:15 hostname proftpd[22919]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.
Jan 26 20:56:18 hostname proftpd[23053]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
Jan 26 20:56:18 hostname proftpd[23053]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

 

[cPanelMichael]

Those are normal connection attempts from Chkservd to verify ProFTPd is running well. You can disable monitoring for ProFtpd in the "Service Manager" if you don't want to see those entries.

Thank you.

 

[keat63]

if i disable monitoring, will this also disable monitoring of genuine logon attempts.
I'd still like to be able to monitor pro-ftp, but kill these false session open, session closed messages.

I guess, as i'm the only person using ftp on the server, i could disable or stop ftp altogether until i need it.
Maybe something to look at in the future once i've settled in.

 

[cPanelMichael]

Those FTP sessions are how Chkservd verifies the service is up. Is this causing some sort of slowness or issues with FTP on your system? What exactly about those entries is a concern for you?

Thank you.

 

[keat63]

The concern is the amount.

Every hour, the server sends me an email, each one of these emails has a list of about 15-20 entries:
hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

So between 5pm and 8am the next day i have in excess of 20 emails and 200 x

hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session opened.
hostname proftpd[22052]: xxx.xxx.xxx.xx (127.0.0.1[127.0.0.1]) - FTP session closed.

to scan through.

 

[Infopro]

Where's the email coming from? CSF?