Forums

Resolved
0 votes
Hello,
Connection to ftp is working but I have a lots of errors
I have 10 connections / min for pool incoming file and is very annoying with 4 failure log on each connection:
Connection is from internal network and from external trough openvpn to internal ip

Oct 28 20:34:37 server proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd25820 ruser=user01 rhost=10.8.0.22 user=user01
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session opened for server user01 by (uid=0)
Oct 28 20:34:37 server proftpd[25820]: 127.0.0.1 (10.8.0.22[10.8.0.22]) - server user01: Login successful.
Oct 28 20:34:37 server proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Oct 28 20:34:37 server proftpd: pam_systemd(proftpd:session): Failed to connect to system bus: No such file or directory
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session closed for server user01
Oct 28 20:34:37 server proftpd: pam_ldap(proftpd:session): error opening connection to nslcd: No such file or directory
Monday, October 28 2019, 07:46 PM
Share this post:
Responses (6)
  • Accepted Answer

    Saturday, October 15 2022, 10:38 AM - #Permalink
    Resolved
    0 votes
    Is there still no solution, i have a camera connecting by FTP this will generate thousends of errors, very enoying.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 05:51 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I know how to remove them but it is not particularly a good idea. You can edit /etc/clearos/events.d/20-user-auth.conf, I think and add your own filter. The problem is that this is considered a system configuration file. If you change it then a new rpm will not update it any more. With 7.6 we pushed out a critical update to one of these files and or the people who had edited theirs, they did not get the update. Instead an /etc/clearos/events.d/20-user-auth.conf.rpmnew is created. It may also be possible to edit /etc/pam.d/system-auth-ac but I've had mixed success there.


    to remove what ? all failure login ? no no no.... What is the point for this alert if I will filter out?
    What I did with previous message was to filter some message not to enter in log file...
    I hope someone will point me into right direction to make a settings to prevent this message to appear in first place. is not normal for a authentication mechanism to work and generate 5 failure message .... this is generated by incorrectly configured service or/and authentication methods to that service.
    I am not an expert but /etc/pam.d/system-auth-ac file is generated by authconfig ? maybe in this file some line are in incorrect order or with incorrect parameters ?

    Nick Howitt wrote:
    You can prune the events database quickly with:
    systemctl stop clearsync.service
    rm -f /var/lib/csplugin-events/events.db
    systemctl start clearsync.service
    There may be neater ways for just the proftpd events.


    this did the job , thanks
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 01:56 PM - #Permalink
    Resolved
    0 votes
    I know how to remove them but it is not particularly a good idea. You can edit /etc/clearos/events.d/20-user-auth.conf, I think and add your own filter. The problem is that this is considered a system configuration file. If you change it then a new rpm will not update it any more. With 7.6 we pushed out a critical update to one of these files and or the people who had edited theirs, they did not get the update. Instead an /etc/clearos/events.d/20-user-auth.conf.rpmnew is created. It may also be possible to edit /etc/pam.d/system-auth-ac but I've had mixed success there.

    You can prune the events database quickly with:
    systemctl stop clearsync.service
    rm -f /var/lib/csplugin-events/events.db
    systemctl start clearsync.service
    There may be neater ways for just the proftpd events.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 01:46 PM - #Permalink
    Resolved
    0 votes
    solved for /var/log/secure

    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session opened for user user by (uid=0)
    Oct 29 15:26:04 server proftpd[10651]: 127.0.0.1 (10.8.0.38[10.8.0.38]) - USER user: Login successful.
    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session closed for user user

    still present in webapp event and notification

    Authentication failure for user via proftpd from 10.8.0.38 2019-10-29 15:26:04
    User user logged in via proftpd 2019-10-29 15:26:04
    User user logged out via proftpd 2019-10-29 15:26:04
    Another issue with event and notifications is with acknowledge message ... I press button event is cleared and appear again few thousand

    thanks
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 01:32 PM - #Permalink
    Resolved
    0 votes
    solved for all logs in var/log/secure
    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session opened for user user by (uid=0)
    Oct 29 15:26:04 server proftpd[10651]: 127.0.0.1 (10.8.0.38[10.8.0.38]) - USER user: Login successful.
    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session closed for user user

    however in webapp https://server:81/app/events I have one failure log on each login

    Authentication failure for user via proftpd from 10.8.0.38 2019-10-29 15:26:04
    User user logged in via proftpd 2019-10-29 15:26:04
    User user logged out via proftpd 2019-10-29 15:26:04



    and another 100.000 ... I press acknowledge all and after a while i have few thousand or tens of thousand to acknowledge
    Thanks
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 28 2019, 08:53 PM - #Permalink
    Resolved
    0 votes
    Rsyslog contains some good filtering possibilities. I have a number of filters for proftpd although they can probably be combined. Create a file /etc/rsyslog.d/anything_you_like.conf but it must end in .conf. A section of my file reads:
    # ProFTPD
    if ($programname == 'proftpd' and $msg contains 'ourfamily') then stop
    if ($programname == 'proftpd' and $msg contains 'Unable to open config file: /etc/security/pam_env.conf: Permission denied') then stop
    if ($programname == 'proftpd' and $msg contains 'Failed to connect to system bus: Permission denied') then stop
    if ($programname == 'proftpd' and $msg contains 'error opening connection to nslcd: Permission denied') then stop
    if ($programname == "systemd-logind") and (($msg contains "New session" and $msg contains "ourfamily") or $msg contains "Removed session") then stop
    Modify it as you like and combine lines if you want. Restart the rsyslog service after making any changes.
    Like
    1
    The reply is currently minimized Show
Your Reply