[BlueOnyx:23045] Re: CushyCMS and ProFTPD

Ken Hohhof khohhof at kwom.com
Tue Jul 30 16:32:35 -05 2019 

That stopped the messages in ban.log but didn't fix the problem.  I suspect
the excessive connections were a symptom not the cause.

I looked in var/log/messages and I see a bunch of lines like this, not sure
what they mean or why the are occurring now and not previously.  Customer
would be using site admin credentials, wouldn't even know root login.

Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - ROOT PRIVS: unable to seteuid(): Operation not permitted
Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - ROOT PRIVS: unable to setegid(): Operation not permitted
Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - RELINQUISH PRIVS: unable to seteuid(PR_ROOT_UID): Operation not
permitted
Jul 30 14:31:06 blueonyx proftpd[5434]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - ROOT PRIVS: unable to seteuid(): Operation not permitted
Jul 30 14:31:06 blueonyx proftpd[5434]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - ROOT PRIVS: unable to setegid(): Operation not permitted
Jul 30 14:31:06 blueonyx proftpd[5434]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - RELINQUISH PRIVS: unable to seteuid(PR_ROOT_UID): Operation not
permitted
Jul 30 14:31:06 blueonyx xinetd[4347]: START: ftp pid=5436
from=::ffff:198.74.49.1
53
Jul 30 14:31:08 blueonyx proftpd[5436]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - ROOT PRIVS: unable to seteuid(): Operation not permitted
Jul 30 14:31:08 blueonyx proftpd[5436]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - ROOT PRIVS: unable to setegid(): Operation not permitted
Jul 30 14:31:08 blueonyx proftpd[5436]: 69.49.197.254
(198.74.49.153[198.74.49.153
]) - RELINQUISH PRIVS: unable to seteuid(PR_ROOT_UID): Operation not
permitted


-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael
Stauber
Sent: Tuesday, July 30, 2019 12:20 PM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:23043] Re: CushyCMS and ProFTPD

Hi Ken,

> Given the timeframe, I am wondering if this is related to the recent 
> update to ProFTPD.  I am seeing a bunch of zero second connections 
> from the CushyCMS IP address and in ban.log I am seeing that IP 
> address getting banned due to excessive client connection rate.  I 
> have not edited those settings, it appears that >30 connections in 60 
> seconds will get the IP banned for 1 hour.  This only seems to have 
> started happening in the past week or so, but as near as I can 
> determine, the mod_ban configuration is not new, I don’t think the 
> recent update changed it.

What's different is that the new ProFTPd has mod_ban and mod_geoip activated
by default. In your case it's most likely mod_ban that is causing the
issues.

In both /etc/proftpd.conf and /etc/proftpds.conf you have that in this
section:

# mod_ban configuration:
<IfModule mod_ban.c>
        BanEngine on
        BanLog          /var/log/proftpd/ban.log
        BanTable        /var/log/proftpd/ban.tab
        BanOnEvent MaxLoginAttempts 30/00:10:00 00:30:00
        BanOnEvent ClientConnectRate 30/00:01:00 01:00:00
        BanControlsACLs all allow group wheel </IfModule>

I stripped out the comments in this email as they would line wrap. Just
comment out this section in /etc/proftpd.conf and /etc/proftpds.conf by
putting a "#" at the beginning of each line of that block and restart
xinetd:

service xinetd restart
...or...
systemctl restart xinetd

Then see if that helps.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list