HPE Community
Operating System - HP-UX
1825759 Members
2217 Online
109687 Solutions
New Discussion

Tracking down failed FTP logins

 
SOLVED
Go to solution
Chuck Sims
Advisor

‎09-02-2003 12:02 PM

‎09-02-2003 12:02 PM

Tracking down failed FTP logins

Aloha All,

I've been receiving periodic complaints from one of our customers about not being able to log into their ftp account on one of our HP-UX 11.0 servers. It seems that it works fine one day, but the account has been disable the next time they try to use it. Sometimes the time between good and bad is only a day or two. At other times, it has been a couple of weeks. I've looked through the console logs and the syslog, and I can see lots of failed login attempts, but I can't find out where they are coming from. The syslog shows the IP address for successful logins, but not, apparently, for failed logins.

Is there another place I should be looking that will show me where these failed logins are coming from? My suspicion is that is that there is a PC out there that still has an old password defined in a batch process. I'd like to be able to prove or dispel this theory.

Thanks in advance for any and all help.
"I feel like I'm diagonally parked in a parallel universe."
0 Kudos
Reply
8 REPLIES 8
Brian Bergstrand
Honored Contributor

‎09-02-2003 12:08 PM

‎09-02-2003 12:08 PM

Solution

Re: Tracking down failed FTP logins

Have tried :

# who -a /var/adm/btmp

That should output where the bad connections are coming from.

HTH.
Reply
A. Clay Stephenson
Acclaimed Contributor

‎09-02-2003 12:10 PM

‎09-02-2003 12:10 PM

Re: Tracking down failed FTP logins

I would add the -l and -v options to your ftp entry in /etc/inetd.conf. This will greatly increase the logging of the ftpd daemon. After making the change to the inetd.conf, issue an "inetd -c" command to signal inetd too reread the configuration file.
If it ain't broke, I can fix that.
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎09-02-2003 12:10 PM

‎09-02-2003 12:10 PM

Re: Tracking down failed FTP logins

use last -R for sucessful logins and lastb -R for unsuccessful
This command will give you all the details you are looking for.


-USA..
Good Luck..
Reply
Elena Leontieva
Esteemed Contributor

‎09-02-2003 12:12 PM

‎09-02-2003 12:12 PM

Re: Tracking down failed FTP logins

You may run this command:

lastb -R |grep ftp

Elena.
Reply
James R. Ferguson
Acclaimed Contributor

‎09-02-2003 12:31 PM

‎09-02-2003 12:31 PM

Re: Tracking down failed FTP logins

Hi:

'lastb' will only work if bad login accounting is enabled. The absence of '/var/adm/btmp' means that bad login accounting is *disabled*. To enable it, as the root user, do:

# touch /var/adm/btmp
# chmod 600 /var/adm/btmp

For security reasons, only the owner (root) should have access.

Regards!

...JRF...
0 Kudos
Reply
Jim Mallett
Honored Contributor

‎09-02-2003 12:45 PM

‎09-02-2003 12:45 PM

Re: Tracking down failed FTP logins

Chuck,

Try running:
# inetd -l

This will turn on connection logging. Then in your /var/adm/syslog file, just prior to the FTP instance, you will see the TCP connection with the IP address.

Here is an example from my system:
Before running inetd -l
Sep 2 16:39:06 ddfin01 ftpd[21530]: User root: Login incorrect
Sep 2 16:39:07 ddfin01 ftpd[21530]: FTP session closed

After running inetd -l
Sep 2 16:39:15 ddfin01 inetd[1112]: Connection logging enabled
Sep 2 16:39:19 ddfin01 inetd[21556]: ftp/tcp: Connection from fang (10.10.2.103
) at Tue Sep 2 16:39:19 2003
Sep 2 16:39:24 ddfin01 ftpd[21556]: pam_authenticate: Authentication failed
Sep 2 16:39:24 ddfin01 ftpd[21556]: User root: Login incorrect
Sep 2 16:39:25 ddfin01 ftpd[21556]: FTP session closed

The failed IP address shows up now.

I don't know that btmp is going to get failed FTP logins.

Jim
Hindsight is 20/20
Reply
Jim Mallett
Honored Contributor

‎09-02-2003 12:55 PM

‎09-02-2003 12:55 PM

Re: Tracking down failed FTP logins

ps...

When you get the information you want, run inetd -l again to shut it off. This will list all attempted connections to services so the syslog file can get big quick.

Jim
Hindsight is 20/20
0 Kudos
Reply
Chuck Sims
Advisor

‎09-16-2003 08:11 PM

‎09-16-2003 08:11 PM

Re: Tracking down failed FTP logins

Aloha All,

Thanks to everyone for the very helpful suggestions. I've turned on connection logging with inetd -l and it's working great. The other suggestions were excellent, also, and have given me some more tools to use in tracking down this problem.

Thanks again...

Chuck
"I feel like I'm diagonally parked in a parallel universe."
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.