cancel
Showing results for 
Search instead for 
Did you mean: 

getting ftp error in syslog

 
laiju.c.babu
Regular Advisor

getting ftp error in syslog

Hi Team.

 

I am getting the below ftp error in syslog  for a user gtrftp. User gtrftp is doing ftp with in the server

 

Dec 28 00:01:30 ******* ftpd[1741]: USER gtrftp

Dec 28 00:01:30 ******* ftpd[1741]: PASS password

Dec 28 00:01:30 ******* ftpd[1741]: FTP LOGIN FROM ******.**.com [10.146.136.110], gtrftp

Dec 28 00:01:30 ******* ftpd[1739]: PWD

Dec 28 00:01:30 ******* ftpd[1739]: CWD /usr

Dec 28 00:01:30 ******* ftpd[1739]: CWD tmp

Dec 28 00:01:30 ******* ftpd[1739]: PASV

Dec 28 00:01:30 ******* ftpd[1739]: QUIT

Dec 28 00:01:30 ******* ftpd[1739]: FTP session closed

 

 

But for other users i am getting the below logs in the syslog . Here the user oradtg  is ftp from another server

 

Dec 27 23:41:33 ******* ftpd[13597]: USER oradtg

Dec 27 23:41:33 ******* ftpd[13597]: PASS password

Dec 27 23:41:33  ******* ftpd[13597]: FTP LOGIN FROM ******.**.com [199.52.48.163], oradtg

Dec 27 23:41:34 ******* ftpd[13597]: CWD /archive/gtr/F3PR/arch

Dec 27 23:41:34  *******ftpd[13597]: PORT

Dec 27 23:41:34 ******* ftpd[13597]: NLST *stby

Dec 27 23:42:03 ******* ftpd[12429]: FTP session closed

 

Could you please tell me what is happening when we are using the account gtrftp

 

Regards

 

Laiju.C.Babu
6 REPLIES
Steven Schweda
Honored Contributor

Re: getting ftp error in syslog

 
laiju.c.babu
Regular Advisor

Re: getting ftp error in syslog

Hi Steven,

 

Thanks for the reply.

 

The problem which i am facing is below

 

We have one people soft applciation running in the server.  There is one function in that applciation which will  copy a file from /usr/tmp to another directory of the same server, As per the update from the developers team  this file transfer is hapenning using ftp using the account gtrftp . Hence i checked the syslog and got the  above logs. 

 

Regards

 

Laiju.C.Babu
Steven Schweda
Honored Contributor

Re: getting ftp error in syslog

 
Matti_Kurkela
Honored Contributor

Re: getting ftp error in syslog

I think I've seen a pattern like this before...

 

In the case of the gtrftp user, the PASV command is preparation for a data transfer of some sort (either to transfer a file, or to transfer a directory listing). PASV means the client is requesting the server to be the "passive" endpoint of a data transfer connection, i.e. the server will respond to the PASV command with an IP address and a dynamically-allocated port number the client should use to establish a second connection for the actual data transfer.


Apparently something goes wrong with the establishment of the data transfer connection (e.g. a firewall rejects the second connection, or a NAT device does not properly convert the PASV response to match the NATted address, so the FTP client will end up connecting to the wrong IP/port). As a result, the non-interactive FTP client just aborts the FTP connection completely.

(The FTP client is obviously scripted/non-interactive: according to the log timestamps, the gtrftp user issued all the commands within a single second.)

 

To understand what is happening, you'll need to know what happened at the client end after it received the PASV response. The client probably detected some error condition at that point - what was it exactly?

 

The PORT command used by the oradtg user is another way to prepare a FTP data transfer connection. With the PORT command, the client is requesting the server to be the "active" endpoint of the data transfer connection. In this case, the server opens a connection to the IP+port specified by the client, which is a reversal of the normal roles for most protocols.

 

(A method called FXP exists, where a single FTP client can command two FTP servers to exchange files with each other directly, without routing the data through the client at all. In this case, the client will establish a FTP login to each server, send a PASV command to one server and forward the IP+port response to the other server using the PORT command. This method can be abused, so some modern FTP servers will not allow it by default.)

MK
Bill Hassell
Honored Contributor

Re: getting ftp error in syslog

PASSIVE mode is virtually mandatory these days due to firewalls and NAT for servers behind firewalls. I always recommend PASSIVE as the *first* command after a login.



Bill Hassell, sysadmin
Steven Schweda
Honored Contributor

Re: getting ftp error in syslog