Click to See Complete Forum and Search --> : proftpd logs
jailbreaker
01-25-2006, 05:03 PM
Hi, I need to know how I can have a log file for proftpd because I notice some weird activity happening,
my situation is that people over the past week havent been able to connect to my ftp server. but late at night I can see there is activity going on and web surfing is a little slow. I looked through what log files I have and I dont know where to look really it all seems ok.
in my proftpd.conf file i says nothing about a log file, how can I add one?
moojuece
01-25-2006, 05:10 PM
i dont believe i have ever set anything manually to log in proftpd but it does log
the log sits in /var/log/proftpd.log on my slackware box
moojuece
01-25-2006, 05:12 PM
on second look i do see a section in my conf
SystemLog /var/log/proftpd.log
TransferLog /var/log/xferlog
jailbreaker
01-25-2006, 05:57 PM
ok, I looked through the "xferlog" but I dont have a proftpd log. but looking at the connections all seem to come form someone on AOL. but what I dont get is why is he the only one that can connect?
for now I have stoped the proftpd service.
anyone have any ideas?
bwkaz
01-25-2006, 08:01 PM
Kill FTP permanently, and use sftp (part of ssh) instead?
And rebuild your machine from known-good install media, because I'm assuming this person changed at least one password? (That would explain why "no one else could connect". The person may have also just set up a firewall rule on your machine (which would mean they have root, and could have also changed anything else), to allow only connections from AOL.)
FTP == telnet == EXTREMELY INSECURE!
HughA
01-29-2006, 12:59 AM
I'm with bwkaz - I prefer to run sftp as opposed to FTP. As far as logs go, if you have been hacked, then any logs - or indeed, any executables creating such logs - may have been tampered with. Any server that is exposed to the internet should have, among other tools, utilities that are designed to detect evidence of malicious activity.
I have set up my server with AIDE to detect changes to files (I find it much simpler than tripwire), and rkhunter and chkrootkit to detect the presence of root kits. My next step will be to re-install them, this time on a memory stick that will only ever be mounted read-only - this will stop hackers from tampering with the tools themselves.
Regards,
Hugh