Hello,
Connection to ftp is working but I have a lots of errors
I have 10 connections / min for pool incoming file and is very annoying with 4 failure log on each connection:
Connection is from internal network and from external trough openvpn to internal ip
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd25820 ruser=user01 rhost=10.8.0.22 user=user01
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session opened for server user01 by (uid=0)
Oct 28 20:34:37 server proftpd[25820]: 127.0.0.1 (10.8.0.22[10.8.0.22]) - server user01: Login successful.
Oct 28 20:34:37 server proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Oct 28 20:34:37 server proftpd: pam_systemd(proftpd:session): Failed to connect to system bus: No such file or directory
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session closed for server user01
Oct 28 20:34:37 server proftpd: pam_ldap(proftpd:session): error opening connection to nslcd: No such file or directory
Connection to ftp is working but I have a lots of errors
I have 10 connections / min for pool incoming file and is very annoying with 4 failure log on each connection:
Connection is from internal network and from external trough openvpn to internal ip
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd25820 ruser=user01 rhost=10.8.0.22 user=user01
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session opened for server user01 by (uid=0)
Oct 28 20:34:37 server proftpd[25820]: 127.0.0.1 (10.8.0.22[10.8.0.22]) - server user01: Login successful.
Oct 28 20:34:37 server proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Oct 28 20:34:37 server proftpd: pam_systemd(proftpd:session): Failed to connect to system bus: No such file or directory
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session closed for server user01
Oct 28 20:34:37 server proftpd: pam_ldap(proftpd:session): error opening connection to nslcd: No such file or directory
In FTP Server
Share this post:
Responses (6)
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
I know how to remove them but it is not particularly a good idea. You can edit /etc/clearos/events.d/20-user-auth.conf, I think and add your own filter. The problem is that this is considered a system configuration file. If you change it then a new rpm will not update it any more. With 7.6 we pushed out a critical update to one of these files and or the people who had edited theirs, they did not get the update. Instead an /etc/clearos/events.d/20-user-auth.conf.rpmnew is created. It may also be possible to edit /etc/pam.d/system-auth-ac but I've had mixed success there.
to remove what ? all failure login ? no no no.... What is the point for this alert if I will filter out?
What I did with previous message was to filter some message not to enter in log file...
I hope someone will point me into right direction to make a settings to prevent this message to appear in first place. is not normal for a authentication mechanism to work and generate 5 failure message .... this is generated by incorrectly configured service or/and authentication methods to that service.
I am not an expert but /etc/pam.d/system-auth-ac file is generated by authconfig ? maybe in this file some line are in incorrect order or with incorrect parameters ?
Nick Howitt wrote:
You can prune the events database quickly with:
There may be neater ways for just the proftpd events.systemctl stop clearsync.service
rm -f /var/lib/csplugin-events/events.db
systemctl start clearsync.service
this did the job , thanks -
Accepted Answer
I know how to remove them but it is not particularly a good idea. You can edit /etc/clearos/events.d/20-user-auth.conf, I think and add your own filter. The problem is that this is considered a system configuration file. If you change it then a new rpm will not update it any more. With 7.6 we pushed out a critical update to one of these files and or the people who had edited theirs, they did not get the update. Instead an /etc/clearos/events.d/20-user-auth.conf.rpmnew is created. It may also be possible to edit /etc/pam.d/system-auth-ac but I've had mixed success there.
You can prune the events database quickly with:
There may be neater ways for just the proftpd events.systemctl stop clearsync.service
rm -f /var/lib/csplugin-events/events.db
systemctl start clearsync.service
-
Accepted Answer
solved for /var/log/secure
Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session opened for user user by (uid=0)
Oct 29 15:26:04 server proftpd[10651]: 127.0.0.1 (10.8.0.38[10.8.0.38]) - USER user: Login successful.
Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session closed for user user
still present in webapp event and notification
Authentication failure for user via proftpd from 10.8.0.38 2019-10-29 15:26:04
User user logged in via proftpd 2019-10-29 15:26:04
User user logged out via proftpd 2019-10-29 15:26:04
Another issue with event and notifications is with acknowledge message ... I press button event is cleared and appear again few thousand
thanks -
Accepted Answer
solved for all logs in var/log/secure
Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session opened for user user by (uid=0)
Oct 29 15:26:04 server proftpd[10651]: 127.0.0.1 (10.8.0.38[10.8.0.38]) - USER user: Login successful.
Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session closed for user user
however in webapp https://server:81/app/events I have one failure log on each login
Authentication failure for user via proftpd from 10.8.0.38 2019-10-29 15:26:04
User user logged in via proftpd 2019-10-29 15:26:04
User user logged out via proftpd 2019-10-29 15:26:04
and another 100.000 ... I press acknowledge all and after a while i have few thousand or tens of thousand to acknowledge
Thanks -
Accepted Answer
Rsyslog contains some good filtering possibilities. I have a number of filters for proftpd although they can probably be combined. Create a file /etc/rsyslog.d/anything_you_like.conf but it must end in .conf. A section of my file reads:
Modify it as you like and combine lines if you want. Restart the rsyslog service after making any changes.# ProFTPD
if ($programname == 'proftpd' and $msg contains 'ourfamily') then stop
if ($programname == 'proftpd' and $msg contains 'Unable to open config file: /etc/security/pam_env.conf: Permission denied') then stop
if ($programname == 'proftpd' and $msg contains 'Failed to connect to system bus: Permission denied') then stop
if ($programname == 'proftpd' and $msg contains 'error opening connection to nslcd: Permission denied') then stop
if ($programname == "systemd-logind") and (($msg contains "New session" and $msg contains "ourfamily") or $msg contains "Removed session") then stop
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »