HPE Community
Operating System - HP-UX
1821984 Members
3292 Online
109638 Solutions
New Discussion юеВ

How to trace ftp logins?

 
Selvaraj
Advisor

тАО10-30-2002 07:57 AM

тАО10-30-2002 07:57 AM

How to trace ftp logins?

Hello experts,

We noticed someone trying to ftp our server using cronjob (every one hour) with incorrect login attempt. We were able to see those failure attempts in /var/adm/syslog/syslog.log file as shown below: (truncated message)

============================================
Oct 30 10:09:45 ma02cp02 ftpd[5168]: pam_authenticate: Authentication failed 134217759
Oct 30 10:09:45 ma02cp02 ftpd[5168]: User xioadm: Login incorrect
Oct 30 10:09:45 ma02cp02 ftpd[5168]: FTP session closed
============================================

Can anyone tell us, how to trace who is trying to ftp our server. Is there any other log file available to trace this issue.

Thanks in advance,
Have a great day!!!!
You can do it man !
0 Kudos
Reply
5 REPLIES 5
Christopher McCray_1
Honored Contributor

тАО10-30-2002 07:59 AM

тАО10-30-2002 07:59 AM

Re: How to trace ftp logins?

Hello,

There isn't an entry somewhere in the syslog at the same time that says this?? For example:

Jul 20 11:56:23 scsdata1 inetd[3379]: ftp/tcp: Connection from p3EE24E2C.dip.t-d
ialin.net (62.226.78.44) at Sat Jul 20 11:56:23 2002

Here is an example from my syslog file where this individual tried to make a connection (He was later refused because of our tcp wrappers). The next step we take is that we go to the web-based whois site:

http://www.swhois.net/

To determine who it is and report the attempt according to its severity.

Hope this helps

Chris

It wasn't me!!!!
0 Kudos
Reply
Andreas Voss
Honored Contributor

тАО10-30-2002 08:01 AM

тАО10-30-2002 08:01 AM

Re: How to trace ftp logins?

Hi,

At HP-UX 11.00 add
the options -l -L -v
At HP-UX 10.20 add the option -l -v
to ftpd in /etc/inetd.conf
After editing let inetd reread with inetd -c

Regards
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО10-30-2002 08:04 AM

тАО10-30-2002 08:04 AM

Re: How to trace ftp logins?

Hi:

Add logging options to the 'ftpd' as defined in the 'ftpd' daemon service line in 'etc/inetd.conf'. See the man pages for 'ftpd (1M)'. You can also enable use of the '/etc/ftpd/ftpaccess' file's specifications for this purpose. See 'man 4 ftpaccess' for more information.

Remember to reread your 'inetd' file changes with:

# /usr/sbin/inetd -c

Regards!

...JRF...
0 Kudos
Reply
Selvaraj
Advisor

тАО10-30-2002 02:04 PM

тАО10-30-2002 02:04 PM

Re: How to trace ftp logins?

Hi all,

Thanks for your responses.

I modified "inetd.conf" file and reread conf file using "inetd -c", but I can see only successful login address in syslog file. Those unsuccessful ftp logins not showing IP address.

I also modified "ftpaccess" file to "supresshostname" as "no". That doesn't worked out.

Finally I grepped "ftpd" continuously at the time of ftp login and got the IP address as shown below. Is there any other method to trace IP address of unsuccessful ftp logins.

Thanks

=============================================
root 25215 23102 1 13:09:44 ttyp3 0:00 grep ftpd
root 25218 23102 1 13:09:44 ttyp3 0:00 grep ftpd
root 25221 23102 1 13:09:44 ttyp3 0:00 grep ftpd
root 25225 23102 1 13:09:44 ttyp3 0:00 grep ftpd
root 25222 2313 2 13:09:44 ? 0:00 ftpd: 10.220.227.99: connected
root 25228 23102 1 13:09:44 ttyp3 0:00 grep ftpd
root 25222 2313 2 13:09:44 ? 0:00 ftpd: 10.220.227.99: connected
root 25231 23102 1 13:09:44 ttyp3 0:00 grep ftpd
root 25222 2313 2 13:09:44 ? 0:00 ftpd: 10.220.227.99: connected
root 25234 23102 1 13:09:44 ttyp3 0:00 grep ftpd
=============================================

You can do it man !
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

тАО10-31-2002 06:05 AM

тАО10-31-2002 06:05 AM

Re: How to trace ftp logins?

Hello again,

For your last question, I have two thoughts:

1. Do you have the following entry in your /etc/ftpd/ftpaccess file:

log commands (i.e. real,guest,anonymous)

2. I would do a grep on refused in the syslog.log, which is what I do to get the refused logins. If you implemented the options for ftpd in inetd.conf the others suggested, you should see output if it is a refused connect.

Hope this helps

Chris
It wasn't me!!!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.