Log Review Failed FTP Attempt

Andrew Harris tuna at supertunaman.com
Thu Jan 19 12:06:15 MST 2012


Hey Keith

I'm afraid your language is just a bit ambiguous -- SFTP, as in FTP over
SSH, or FTP, as in ProFTPd or Pure-FTPd?

If it's the former, then /var/log/secure will be the right place, but it'll
show up as sshd. Here's what a failed login looks like on my CentOS VPS:

Jan 19 13:04:04 sta sshd[12164]: pam_unix(sshd:auth): check pass; user
unknown
Jan 19 13:04:04 sta sshd[12164]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
cpe-66-68-110-19.austin.res.rr.com

If it's actual FTP, I believe that will be in /var/log/messages or
something, depending on how it's configured.

On Thu, Jan 19, 2012 at 12:29 PM, keith smith <klsmith2020 at yahoo.com> wrote:

>
> Hi,
>
> I've setup Iptables so only certain IP addresses can access our shell.  It
> works well for the handful of us that access the shell.
>
> We also run SFTP.  So the IP for anyone needing FTP must be in the IP
> tables as well.
>
> Today, I'm trying to configure someone remotely.  I added their IP address
> to the IPTables and helped them configure their FTP Client.  They are not
> able to connect.  It is unclear to me if it is a client or server issue.
> So I am looking at the logs.
>
> I'm running CentOS 5.6 and looking in /var/log/secure .  I see no entry
> for the failed access attempt.
>
> Is there another log I should be looking in?
>
> Thank you for your help!
>
> ------------------------
> Keith Smith
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120119/93172bc5/attachment.html>


More information about the PLUG-discuss mailing list