HPE Community
Operating System - HP-UX
1834457 Members
2807 Online
110067 Solutions
New Discussion

Re: FTP Messages - Filling up Syslog

 
SOLVED
Go to solution
Manoj Sooka
Occasional Advisor

‎04-22-2003 08:29 AM

‎04-22-2003 08:29 AM

FTP Messages - Filling up Syslog

Hello All

Could someone please assist. On 2 of our servers, messages like the following keep filling up the Syslog. I do not know what is generating the messages as these do not seem to be normal FTP session messages. Any help will be appreciated. I am leaving now and will check your responses tomorrow. Many thanks
Manoj

Apr 22 02:16:13 GFTS ftpd[14070]: FTP session closed
Apr 22 02:16:58 GFTS ftpd[14071]: FTP session closed
Apr 22 02:17:28 GFTS ftpd[14076]: FTP session closed
Apr 22 02:17:43 GFTS ftpd[14077]: FTP session closed
Apr 22 02:18:13 GFTS ftpd[14083]: FTP session closed
Apr 22 02:18:29 GFTS ftpd[14084]: FTP session closed
Apr 22 02:18:58 GFTS ftpd[14085]: FTP session close
0 Kudos
Reply
9 REPLIES 9
James R. Ferguson
Acclaimed Contributor

‎04-22-2003 08:51 AM

‎04-22-2003 08:51 AM

Re: FTP Messages - Filling up Syslog

Hi:

You appear to have enabled logging for the 'ftpd' daemon. Logging is enabled by adding the '-l' argument to the 'ftpd' daemon when it is spawned by 'inetd'. Your '/etc/inetd.conf' file will contain a specification something like this:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l

Eliminate the '-l' from the line above and restart 'inetd' thusly:

# /usr/sbin/inetd -c

Regards!

...JRF...
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎04-22-2003 08:55 AM

‎04-22-2003 08:55 AM

Re: FTP Messages - Filling up Syslog

Hi (again):

In addition, you may have other ftp commands being logged that you want to suppress. These would be armed with the '-L' argument for the ftp daemon as I described above. See the 'ftpd(1M)' man pages for more information.

Regards!

...JRF...
0 Kudos
Reply
Helen French
Honored Contributor

‎04-22-2003 08:55 AM

‎04-22-2003 08:55 AM

Solution

Re: FTP Messages - Filling up Syslog

To trace down, you could probably observe the ftp connection from your clients. You will be able to find the IP addresses and other network related details from netstat command. Check the output and find out the client or process which is trying to do ftp. Also, check if any cron process setup.

Now, if you donot want any ftp access to be logged on the syslog, then you can use the -l option with ftpd daemon on /etc/inetd.conf file. I wouldn't do this since it's a security risk.
Life is a promise, fulfill it!
Reply
Bill Douglass
Esteemed Contributor

‎04-22-2003 09:00 AM

‎04-22-2003 09:00 AM

Re: FTP Messages - Filling up Syslog

You can also use the ftpaccess file to control logging of commands and/or file transfers.

Tjis lets you break logging down into real, guest and anonymous users (the log you posted looks like it came from an ftp monitoring engine, so eliminating anonymous ftp logging might fix your problem).

See the ftpaccess and ftpd man pages, esp. "log commands" and "log transfers" inftpaccess.
0 Kudos
Reply
Tim Sanko
Trusted Contributor

‎04-22-2003 09:30 AM

‎04-22-2003 09:30 AM

Re: FTP Messages - Filling up Syslog

Do you have "what's up" or
Solar Winds installed. Either one will produce a similar end result.

Solution: don't log or
grep -v "FTP session" syslog.log> tmpfile; cp tmpfile syslog.log
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎04-22-2003 09:50 AM

‎04-22-2003 09:50 AM

Re: FTP Messages - Filling up Syslog

As an aside, to get them out of syslog.log, modify your /etc/syslog.conf file as follows:

mail.debug /var/adm/syslog/mail.log
daemon.info;mail.none /var/adm/syslog/daemon.log

Then restart syslogd

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-22-2003 11:09 AM

‎04-22-2003 11:09 AM

Re: FTP Messages - Filling up Syslog

For security reasons, you probably want the -l option enabled in inetd.conf

Its easy to turn off but that makes dealing with a ftp security issue that much harder after the fact.

So, I recommend leaving it on and making sure /var has enough space.

I have a weekly job to manage syslog on servers that don't get booted that often.

It does two things.

It copies off the old file with a date to the /backups filesystem. There is another cron job that cleans that up after 4 weeks.

The next step is to clean syslog.

> /var/adm/syslog/syslog.log

Solves the problem, maintains some level of auditing. Turning off the -l on the ftpd daemon has caused people to get written up in security audits.

The real long term answer is to stop using ftp at all. Here is the software and docs you need to start that long process.


Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

A cookbook is attached.

Even more is my general security product list, which is way beyond the scope of your question, but I'm on a roll.

Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

IDS/9000 (Intrusion Detection Sytstem)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Michael Tully
Honored Contributor

‎04-22-2003 02:16 PM

‎04-22-2003 02:16 PM

Re: FTP Messages - Filling up Syslog

I was actually yesterday turning this stuff on, so to trace stuff coming in.

You may have these set up:
In your /etc/inetd.conf file you could have the entry for ftp as

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -lv

Remove the 'v' and 'l' if you are not satisfied. You may wish to check what your other systems have as well.
There is one further thing, in /etc/syslog.conf, have local5 removed if you have it.

If you make changes to either of these files, then run these, they will get the daemons to re-read current configs.

for inetd.conf
# inetd -c

for syslog.conf
# kill -HUP `cat /var/run/syslog.pid`

HTH
Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Cheryl Griffin
Honored Contributor

‎04-23-2003 03:40 AM

‎04-23-2003 03:40 AM

Re: FTP Messages - Filling up Syslog

For each of these messages, is there an associated message that might say something else. Note the 14070 in this example, "ftpd[14070]: FTP session closed" is the PID. There may be some other error that needs correcting in addition to checking if logging is enabled.
"Downtime is a Crime."
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.