Simple FTP question

Virtualmin
1

Hi,
Sorry for such a basic question but up until
now I have been using smartFTP which just asks
for website name, user and password.

Now, I decided to try out the KomopoZer for updating
one of my websites. The ftp’ed web pages get sent to
a separate folder under the ftp user rather than the public_html.

Here is the settings panel:

Now the website that I am trying to ftp to is
on my server running under VirtualMin Pro
and is on domain: prime-servers.com

I have set a new mail/ftp user called "primus"
so Ä°ts user name in full is primus.prime@prime-servers.com

When I view the server after a "successful" publish with
KompoZer I find this.

You see, I have a new directory called primus and
my new index.html is there when I really wanted it in the
public_html directory.

Is this because of a setting that I have incorrectly set ?

2

I have tried to access the public_html with my
admin username and password and with this
publishing settings:

But I always get a "530 Login incorrect" error when I try this even though I have double checked my password several times.

Please help as I am somewhat stuck :o(

3

What’s in the logs? (secure.log and proftpd.log, probably)

4

I just took a look at at secure log and found the last batch of entries
do not have my log-in attempts but show this:

May 18 00:51:39 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kelvin rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:39 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kelvin
May 18 00:51:44 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:44 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kennedy rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:44 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kennedy
May 18 00:51:47 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:47 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kennedy rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:47 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kennedy
May 18 00:51:51 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:51 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kennedy rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:51 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kennedy
May 18 00:51:55 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:55 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kenneth rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:55 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kenneth
May 18 00:51:59 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:59 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kenneth rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:59 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kenneth

Does this mean someone or possibly a "bot" is trying to break in ?

5

I narrowed the search down to look for "prime" and got these results:

May 18 00:30:26 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=prime rhost=78.167.110.237 user=prime
May 18 00:32:40 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=prime rhost=78.167.110.237 user=prime
May 18 00:57:17 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=prime rhost=78.167.110.237 user=prime

6

That looks like a simple authentication failure. Does user "prime" have a shell that is listed in /etc/shells?

7

In the /etc/shells file I have this:

/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/bin/false

8

And, is prime’s shell in that list?

9

I have no idea.

That is the complete list!

It doesn’t mean anything to me.

The server(hardware) has over 30 servers on it, so I don’t know
what this little list is supposed to be!

10

Hehehe…look at the user “prime” in Webmin->System->Users and Groups. What’s his shell? Is it in that list? (You could also look in /etc/passwd)

11

OK _ have solved it :slight_smile:

I don’t know why the password was not working but I changed the
server admin password.

Interestingly when I tried to"publish" KompoZer sent the file to the "prime" directory.

To get it into the "wwww" area I had to stipulate the
public_html/ sub-directory as the location.

Anyway thanks for your help - I still have that question about all those access attempts that show up it my secure log coming in from:
customer-static-123-168-138.iplannetworks.net

(see 5 posts earlier )

What is happening here - is it some kind of attack ?
Should I block that IP address ?
Is this "normal" activity ?

Your advice/comment would be much appreciated.

Thanks again.

12

I don’t know. Only you know who is supposed to be contacting your server, and what they’re supposed to be doing with it. :wink:

I suspect yes, it is an attack. And yes, you could block it, if you want to.

13

i suggest not to block those attacks. They are constant and you’d end up blocking IP’s for the rest of your adminlife and possibly blocking dynamic IP’s which may end up being used by potential customers in the future

Anyway short story, have strong passwords. Keep an eye on the logs just in case one IP is attacking the server longer than a few hours

14

Thanks for your input :slight_smile: