Website users?

[ctroyp]

I have recently removed a user from one of the websites hosted within ISPConfig because I had a problem accessing Web-FTP for the said user. I was thinking that if I removed the user and re-created them, that it would clear the FTP problem. When I tried to re-create the user it would not allow me. States the following:

Code:

The user with the name web2_ctp does already exist.
Duplicate Email Address.
A user with administrator rights does already exist for this site.

I currently do not have any users created for this account. I also deleted the FTP directory in the users folder...

How can I clear this?

Thank you!

[till]

Please have a look here:

http://www.howtoforge.com/forums/showthread.php?t=1472

[ctroyp]

Quote:

Originally Posted by till

Please have a look here:

http://www.howtoforge.com/forums/showthread.php?t=1472

Thank you till! Worked like a charm. Now I need to check the access.

[ctroyp]

I have sucessfully re-created the user. I still cannot access the FTP directory for this user within Web-FTP in ISPConfig. When I remove admin privileges from this user I can access everything fine. Is there a problem or can administrators not have FTP access through ISPConfig?

[till]

There are no limits for WebFTP and amins in ISPConfig.

With an external FTP client the Admin FTP account is working? Did you get any errors when you try to login with web ftp?

[ctroyp]

Quote:

Originally Posted by till

There are no limits for WebFTP and amins in ISPConfig.

Ok.

Quote:

Originally Posted by till

With an external FTP client the Admin FTP account is working? Did you get any errors when you try to login with web ftp?

Yes, FTP works on all accounts using an external client.

When trying to login with Web-FTP, I can login fine as long as the particular user does not have admin rights for the web (through ISPCondig). When I try logging in w/admin rights, it hangs for a couple seconds then ends my ISPConfig session. No errors that I can find...

[falko]

Which FTP server do you use? Proftpd or Vsftpd?
Is there anything in the logs?

[ctroyp]

Quote:

Originally Posted by falko

Which FTP server do you use? Proftpd or Vsftpd?
Is there anything in the logs?

Proftpd (Debian 3.1 Perfect Setup).

I found this in /var/log/daemon.log:

The first session [416] is from a non-admin user logging in to web-ftp successfully.

The second ftp session [449] is from my admin user logging in to web-ftp unsuccessfully. This is when it ends my ISPConfig session.

The third ftp session is from an unknown source. Someone trying to get in I guess. Starting with the [449] there were a total of 150+ attempts. Is this common?

Code:

Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - mod_delay/0.4: delaying for 8 usecs 
Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - mod_delay/0.4: delaying for 1 usecs 
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - mod_delay/0.4: delaying for 108 usecs 
Dec 19 09:30:57 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - FTP session opened. 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 78 usecs 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - no such user 'Administrator' 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 5359 usecs 
Dec 19 09:43:43 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 173 usecs 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - no such user 'Administrator' 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 5569 usecs 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - mod_delay/0.4: delaying for 171 usecs 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - no such user 'Administrator' 
Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - FTP session closed. 

and on and on...

Also there are many entries where a session opens and closes (about every 30 minutes). Is this correct?

Code:

Dec 19 02:00:01 server1 proftpd[26864]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 02:00:01 server1 proftpd[26864]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 02:30:01 server1 proftpd[27254]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 02:30:01 server1 proftpd[27254]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 03:00:02 server1 proftpd[27650]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 03:00:02 server1 proftpd[27650]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 03:30:01 server1 proftpd[28036]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 03:30:01 server1 proftpd[28036]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 04:00:01 server1 proftpd[28419]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 04:00:02 server1 proftpd[28419]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 04:30:01 server1 proftpd[28875]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 04:30:01 server1 proftpd[28875]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 05:00:01 server1 proftpd[29253]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 05:00:01 server1 proftpd[29253]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 05:30:01 server1 proftpd[29632]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 05:30:01 server1 proftpd[29632]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 06:00:01 server1 proftpd[30009]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 06:00:01 server1 proftpd[30009]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 06:30:02 server1 proftpd[30512]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 06:30:02 server1 proftpd[30512]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 06:53:24 server1 proftpd[30805]: server1.strec.com (gate.frodos.fi[192.89.219.100]) - FTP session opened. 
Dec 19 06:53:24 server1 proftpd[30805]: server1.strec.com (gate.frodos.fi[192.89.219.100]) - FTP session closed. 
Dec 19 07:00:01 server1 proftpd[30891]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 07:00:01 server1 proftpd[30891]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 07:30:01 server1 proftpd[31270]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 07:30:01 server1 proftpd[31270]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 08:00:01 server1 proftpd[31647]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 08:00:01 server1 proftpd[31647]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 08:21:47 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - FTP session opened. 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - mod_delay/0.4: delaying for 85 usecs 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - no such user 'anonymous' 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - mod_delay/0.4: delaying for 6252 usecs 
Dec 19 08:21:48 server1 proftpd[31927]: server1.strec.com (ACB1F122.ipt.aol.com[172.177.241.34]) - FTP session closed. 
Dec 19 08:30:01 server1 proftpd[32033]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 08:30:01 server1 proftpd[32033]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed. 
Dec 19 09:00:01 server1 proftpd[32417]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session opened. 
Dec 19 09:00:01 server1 proftpd[32417]: server1.strec.com (localhost.localdomain[127.0.0.1]) - FTP session closed.

Furthermore, here are the corresponding entries from the auth.log for the two login attempts from web-ftp. It looks like the admin account does login successfully, but gets booted shortly after:

Code:

Dec 19 09:30:18 server1 proftpd: (pam_unix) session opened for user web2_ctp by (uid=0)
Dec 19 09:30:18 server1 proftpd[416]: server1.strec.com (localhost.localdomain[127.0.0.1]) - USER web2_ctp: Login successful. 
Dec 19 09:30:18 server1 proftpd: (pam_unix) session closed for user web2_ctp
Dec 19 09:30:29 server1 proftpd: (pam_unix) session opened for user web2_admin by (uid=0)
Dec 19 09:30:29 server1 proftpd[449]: server1.strec.com (localhost.localdomain[127.0.0.1]) - USER web2_admin: Login successful. 
Dec 19 09:30:57 server1 proftpd: (pam_unix) session closed for user web2_admin
Dec 19 09:39:01 server1 CRON[577]: (pam_unix) session opened for user root by (uid=0)
Dec 19 09:39:01 server1 CRON[577]: (pam_unix) session closed for user root

I also found something interesting. Due to the fact that I kept getting hit with from the unknown user, I decided to stop the proftpd service. I did so and confirmed that the user attemts ceased. I then started up the service and got this error:

Code:

server1:~# /etc/init.d/proftpd start
Starting ProFTPD ftp daemon:  - warning: "ProFTPD" address/port (192.168.2.50:21) already in use by "Debian"
proftpd.

[falko]

Please make sure you're using the right username for login:

Quote:

Dec 19 09:43:44 server1 proftpd[654]: server1.strec.com (220-130-134-244.HINET-IP.hinet.net[220.130.134.244]) - no such user 'Administrator'

Normally the usernames are something like web<id>_<name>, not Administrator or something like that.

[ctroyp]

Quote:

Originally Posted by falko

Please make sure you're using the right username for login:


Normally the usernames are something like web<id>_<name>, not Administrator or something like that.

That is not me but someone else trying to get in--robot or something.

If you look at what I posted from the auth.log file, you will see that I am trying to using the appropriate usernames (web2_ctp and web2_admin).