Error Retrieving Information About User Vsftpd
Contents |
authenticate as anonymous user Installing, Configuring, Troubleshooting server daemons such as Web and Mail Post Reply Print view Search Advanced search 5 posts • error retrieving information about user pam_succeed_if Page 1 of 1 Toneus Posts: 2 Joined: 2010/05/04 19:41:40 VSFTPD - Unable
Error Retrieving Information About User Ldap
to authenticate as anonymous user Quote Postby Toneus » 2010/05/04 21:20:28 I am attempting to configure vsftpd to pam_succeed_if(sshd:auth): error retrieving information about user allow anonymous users to PUT files into a shared incoming directory. This would be like a dropbox for my customers. Ideally, the incoming directory's contents would not be viewable by the linux vsftpd configuration users.I believe that refused connection is due to the PAM configuration for vsftpd.Code: Select allMay 4 08:03:16 WSVM-S1-1 sshd[1512]: Invalid user anonymous from xxx.xxx.xxx.xxx
May 4 08:03:16 WSVM-S1-1 sshd[1513]: input_userauth_request: invalid user anonymous
May 4 08:03:16 WSVM-S1-1 sshd[1512]: pam_unix(sshd:auth): check pass; user unknown
May 4 08:03:16 WSVM-S1-1 sshd[1512]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-xxx.xxx.xxx.xxx.sip.asm.bellsouth.net
May 4 08:03:16 WSVM-S1-1 sshd[1512]: pam_succeed_if(sshd:auth): error retrieving information about user anonymous
May 4 08:03:19 WSVM-S1-1 sshd[1512]: Failed password for invalid user anonymous from xxx.xxx.xxx.xxx port 1665 ssh2
May 4 08:03:19 WSVM-S1-1 sshd[1513]: fatal: Read from socket failed: Connection reset by peer
I have followed what I believe are the correct anonymous configuration changes (see vsftpd.conf below). I can perform sftp uploads as a real user. My secure log file is indicating failure to authenticate. I would expect that when anonymous_enabled=YES that the anonymous login would not be passed to PAM.Assistance would be appreciated.TonyCode: Select allLinux WSVM-S1-1 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:32:21 EST 2010 x86_64 x86_64 x86_64 GNU/Linux Code: Select all# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow an
HCL Search Reviews Search ISOs Go to Page... LinuxQuestions.org > Forums > Linux Forums > Linux - Security vsftpd brutte force attack - how to resolve IP ? User Name Remember Me? Password Linux - Security This forum is for all security related questions. Questions, tips, system compromises, firewalls, etc. are all included here. Notices Welcome to LinuxQuestions.org, a friendly and active Linux Community. You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today! Note that http://www.centos.org/forums/viewtopic.php?t=29079 registered members see fewer ads, and ContentLink is completely disabled once you log in. Are you new to LinuxQuestions.org? Visit the following links: Site Howto | Site FAQ | Sitemap | Register Now If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here. Having a problem logging in? Please visit this page to clear all LQ-related cookies. Introduction to Linux - http://www.linuxquestions.org/questions/linux-security-4/vsftpd-brutte-force-attack-how-to-resolve-ip-705303/ A Hands on Guide This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter. For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own. Click Here to receive this Complete Guide absolutely free. Search this Thread 02-17-2009, 04:18 AM #1 dlugasx Member Registered: Dec 2008 Location: Germany/Poland Distribution: CentOS / Debian / Solaris / RedHat Posts: 266 Rep: vsftpd brutte force attack - how to resolve IP ? Hi all, today morning I found in my "secure" log thousand entries like this one: Quote: Feb 16 16:20:01 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com Feb 16 16:20:01 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator Using brutte force somebody trying to hack my vsftpd access. If I have entry like this how can I block user which trying to hack my
ModSecurity Control ConfigServer Mail Manage ConfigServer Mail Queues ConfigServer Explorer MailScanner Installer Blog Forum Support Quick links Unanswered topics Active topics Search FAQ Register Login Board index ConfigServer Security & Firewall Suggestions (csf) Search Advanced http://forum.configserver.com/viewtopic.php?t=1344 search Support for vsftpd Login Failures 1 2 14 posts Page 1 of 2 Topic tools Print view Post a reply Support for vsftpd Login Failures Riatsala Junior Member Posts: http://www.aczoom.com/forums/blockhosts/vsftpd-regex-in-var-log-secure-file 3 Joined: 27 May 2008, 10:50 by Riatsala » 27 May 2008, 11:01 Reply with quote I've had thousands of vsftpd login failures in the last few weeks. It would be great error retrieving to be able to block the offending IPs. Here's a few lines from /var/log/messages Code: Select allMay 1 12:43:17 vps vsftpd(pam_unix)[11377]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=72.232.10.66 user=mysql
May 11 00:39:10 vps vsftpd(pam_unix)[22388]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=219.232.228.160
May 25 19:59:54 vps vsftpd(pam_unix)[17806]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=65.204.255.101
If blocking these could be error retrieving information added to a future lfd update, I'd really appreciate it! All the best, Riatsala chirpy Moderator Posts: 3546 Joined: 09 Dec 2006, 18:13 by chirpy » 27 May 2008, 11:21 Reply with quote I'll look at adding these to regex.pm Riatsala Junior Member Posts: 3 Joined: 27 May 2008, 10:50 by Riatsala » 27 May 2008, 11:57 Reply with quote Thanks chirpy. Riatsala Junior Member Posts: 3 Joined: 27 May 2008, 10:50 by Riatsala » 29 May 2008, 10:53 Reply with quote Thanks for including this in the latest update. It's blocked a couple of IPs already! I have noticed something strange while browsing the logs. It appears there are actually two types of attack, and only one is getting blocked. Those who use a legitimate username but wrong password generate a single line in /var/log/messages like the one's above, and these are blocked perfectly. Those who use an invalid username generate two lines in the log for each attempt, and for some reason they are ignored by lfd. Code: Select allMay 29 05:02:38 vps vsftpd(pam_unix)[5398]: check pass; user unknown
May 29 05:02:38 vps vsftpd(pam_unix)[5398]: authentication f
retrieving information about user hector Oct 5 06:23:41 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Oct 5 06:23:41 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=hector rhost=xx.xx.xx.xx I have tried various regex expressions but haven't been able to match so I can get the {HOST_IP} of xx.xx.xx.xx Can someone help here please? Thanks. Michael. ‹ Cant match new regex needed › BlockHosts Printer-friendly version Wed, 2008-10-08 01:21 — Michael (not verified) Tried a python regex Hi, This is the python regex I have tried, which matches everything I need (I believe): "vsftpd-FailSyslog": r'... .?\d \d\d:\d\d:\d\d \S{8} vsftpd: pam\Dunix\Dvsftpd:auth\D: .*? failure\D logname= uid=\d euid=\d tty=ftp ruser=.*? rhost={HOST_IP}$', it was: r'{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$', but when I try to FTP in many times with failed attempts, blockhosts doesn't watch/block the IP. I've spent some hours on this already and am no closer to resolving it. Any help is appreciated. Michael. Thu, 2008-10-09 20:15 — ac here's the pattern "vsftpd-pam-unix-Fail": r'{LOG_PREFIX{vstfpd}} pam_unix\(vsftpd:auth\): authentication failure; logname= .* rhost={HOST_IP}$' Thu, 2008-10-16 03:25 — Michael (not verified) Hi, Thanks for that pattern. Hi, Thanks for that pattern. I did add it into blockhosts.conf the day you posted it, so just had to wait till another attack happened. Currently the attack is on-going and blockhosts is missing it (from /var/log/secure): Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81 Oct 16 18:23:10 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): check pass; user unknown Oct 16 18:23:10 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=guest rhost=202.55.176.81 Oct 16 18:23:10 server vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user guest Oct 16 18:23:14 server vsftpd: pam_uni