HPE Community
Operating System - HP-UX
1838542 Members
4260 Online
110127 Solutions
New Discussion

Numerous ftpd login attempts in syslog

 
wvsa
Regular Advisor

‎12-28-2007 11:01 AM

‎12-28-2007 11:01 AM

Numerous ftpd login attempts in syslog

Greetings fellow admins;

In the syslog file in one of our hpux 11.11 servers there are dozens of ftpd messages indicating someone or more likely some process is attempting to ftp to the server. I have turned on some security in inetd.conf for ftpd, it is running with the -L -l -a options. Still I cannot figure out who or what is creating the numerous ftp login attempts. Wondering if anyone had a suggestion as to how I could find the culprit.

Thank you for responses.

Norm
0 Kudos
4 REPLIES 4
Jeeshan
Honored Contributor

‎12-28-2007 11:11 AM

‎12-28-2007 11:11 AM

Re: Numerous ftpd login attempts in syslog

check this command

netstat -an|grep

or check the hosts that connected to your system
a warrior never quits
0 Kudos
wvsa
Regular Advisor

‎12-28-2007 11:16 AM

‎12-28-2007 11:16 AM

Re: Numerous ftpd login attempts in syslog

Ahsan;

Thanks for the response, but I need a way to monitor the ftp port, there are only certain times of the day when the numerous ftp attempts occur. Sorry did not make that clear in my orignal post.
0 Kudos
Murat SULUHAN
Honored Contributor

‎12-28-2007 11:36 AM

‎12-28-2007 11:36 AM

Re: Numerous ftpd login attempts in syslog

Hi

You can use proftpd daemon for FTP serving.
It's more configurable so you use it's mod_log features (logformat directive)

proftpd
http://hpux.cs.utah.edu/hppd/hpux/Networking/FTP/proftpd-1.3.1/

The LogFormat directive can be used to create a custom logging format for use with the ExtendedLog directive. Once created, the format can be referenced by the specified nickname. The format-string argument can consist of any combination of letters, numbers and symbols. The special character % is used to start a meta-sequence (see below). To insert a literal % character, use %%.

The following meta sequences are available and are replaced as indicated when logging. %a Remote client IP address %A Anonymous username (password given), or UNKNOWN if non-anonymous %b Bytes sent for request %d Directory name (not full path) for CDUP, CWD, MKD, RMD, XCWD, XCUP, XMKD, XRMD %D Directory name (full path) for CDUP, CWD, MKD, RMD, XCWD, XCUP, XMKD, XRMD %{FOOBAR}e Contents of environment variable FOOBAR. Note that the server does not set any environment variables itself. %f Filename stored or retrieved, absolute path (not chrooted) %F Filename stored or retrieved, as the client sees it %h Remote client DNS name %l Remote username (from ident), or UNKNOWN if ident lookup failed %L Local server IP address %m Command (method) name received from client, e.g., RETR %p Local server port number %P Local server process id (pid) %r Full command line received from client %s Numeric FTP response code (status) %t Current local time %{format}t Current local time formatted (strftime(3) format) %T Time taken to transmit/receive file, in seconds %u Local authenticated userid %U USER name originally sent by the client %v ServerName of server handling session %V DNS name of server handling session

So you can monitor your ftp connections.

you should also look at access controls
http://www.proftpd.org/localsite/Userguide/linked/c922.html#AEN925

Best Regards
Murat
Murat Suluhan
0 Kudos
wvsa
Regular Advisor

‎01-02-2008 11:20 AM

‎01-02-2008 11:20 AM

Re: Numerous ftpd login attempts in syslog

Greetings all;

James F and Bill Hassell assisted in providing a solution, used lsof -i running in cron and changed ftpd options in inetd.conf to ftpd -L -l -i -o -a

Thanks for your responses.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.