Hallo Leute,

ich bin ein bischen verwirrt über meinen FTP-Server (pure-ftpd).
Ich habe ausdrücklich in den Conf Files Anonymus Logins verboten und trotzdem bekomme ich manchmal
in den Logfiles die Meldung das da ein login stattfand.
Wie kann das sein?

Auszug Logfile:

Apr 3 02:24:21 shg001 pure-ftpd: (?@host107-120.pool80117.interbusiness.it) [INFO] Anonymous user logged in

PS: Geht es euch auch so, dass ihr alle 10 sec logins zu verzeichnen habt? Scheinen ne ganze Menge scripts im Netz zu laufen, die nach offenen FTP-Servern suchen. Wenn das mal nicht die Kino-Filmripper auf der Suche nach Plattenplatz sind !?

Original geschrieben von ralle2k
Wenn das mal nicht die Kino-Filmripper auf der Suche nach Plattenplatz sind !?
Sind nicht nur Kino-Filmripper auch Software-Raubkopierer und solche Leute. ;) Aber Anonymous-FTP´s sind langsam out. Jetzt kommen die Win2k-Maschinen, die sonen Bug haben, der es einem besonders leicht macht, die dinger zu hacken. Aber ich hab mit sowas ja nix am Hut... ;):ugly: :D

Trotzdem wüßte ich gerne warum sich überhaupt eingelogged werden kann.

Logfile: Bsp

May 3 15:01:08 shg001 pure-ftpd: (?@host217-41-20-232.in-addr.btopenworld.com) [INFO] Anonymous user logged in
May 3 15:01:08 shg001 pure-ftpd: (ftp@host217-41-20-232.in-addr.btopenworld.com) [INFO] Can't change directory to /pub/: No such file or directory
May 3 15:01:08 shg001 pure-ftpd: (ftp@host217-41-20-232.in-addr.btopenworld.com) [INFO] Can't change directory to /public/: No such file or directory
May 3 15:01:09 shg001 pure-ftpd: (ftp@host217-41-20-232.in-addr.btopenworld.com) [INFO] Can't change directory to /_vti_pvt/: No such file or directory
May 3 15:16:09 shg001 pure-ftpd: (ftp@host217-41-20-232.in-addr.btopenworld.com) [INFO] Timeout - try typing a little faster next time

Gibt es noch irgendwelche undokumentierten Einträge in der conf?

Gruß R2k

hi,

würde an deiner stelle schnellstmöglich die config-datei prüfen und richtigstellen.

mfg,
matze

In der Datei habe ich natürlich als erstes nachgesehen. Hab meiner Meinung nach alles mit anonymus abgeschaltet.


################################################## ##########
# #
# Configuration file for pure-ftpd wrappers #
# #
################################################## ##########

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
/usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.html for a complete list of
# options.

# Cage in every user in his home directory

ChrootEveryone yes



# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID 100



# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility no



# Maximum number of simultaneous users

MaxClientsNumber 5



# Fork in background

Daemonize yes



# Maximum number of sim clients with the same IP address

MaxClientsPerIP 3



# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.

VerboseLog yes



# List dot-files even when the client doesn't send "-a".

DisplayDotFiles no



# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly no



# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous yes



# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp", "none" disables logging.

SyslogFacility ftp



# Display fortune cookies

# FortunesFile /usr/share/fortune/zippy



# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.

DontResolve no



# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15



# LDAP configuration file (see README.LDAP)

# LDAPConfigFile /etc/pureftp-ldap.conf



# PureDB user database (see README.Virtual-Users)

# PureDB /etc/pureftpd.pdb


# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth /var/run/ftpd.sock



# If you want to enable PAM authentication, uncomment the following line

PAMAuthentication yes



# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication yes



# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.



# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 2000 8



# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs no



# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.

MaxLoad 4



# Port range for passive connections replies. - for firewalling.

# PassivePortRange 30000 50000



# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.

# ForcePassiveIP 192.168.0.1



# Upload/download ratio for anonymous users.

# AnonymousRatio 1 10



# Upload/download ratio for all users.
# This directive superscedes the previous one.

# UserRatio 1 10



# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.

AntiWarez yes



# IP address/port to listen to (default=all IP and port 21).

# Bind 127.0.0.1,21



# Maximum bandwidth for anonymous users in Kb/s

# AnonymousBandwidth 8



# Maximum bandwidth for *all* users (including anonymous) in Kb/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.

UserBandwidth 8



# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.

Umask 133:022



# Minimum UID for an authenticated user to log in.

MinUID 100



# Allow FXP transfers for authenticated users only.

AllowUserFXP yes



# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no



# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.

ProhibitDotFilesWrite no



# Prohibit *reading* of files beginning with a dot (.history, .ssh...)

ProhibitDotFilesRead no



# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...

AutoRename yes



# Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload yes



# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP 10.1.1.1



# If you want to add the PID to every logged line, uncomment the following
# line.

#LogPID yes



# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.

AltLog clf:/var/log/pureftpd.log



# Create an additional log file with transfers logged in a format optimized
# for statistic reports, as done with ftpStats
# (http://www.shagged.org/ftpstats) .

# AltLog stats:/var/log/pureftpd.log



# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)

# AltLog w3c:/var/log/pureftpd.log



# Disallow the CHMOD command. Users can't change perms of their files.

#NoChmod yes



# Allow users to resume and upload files, but *NOT* to delete them.

#KeepAllFiles yes



# Automatically create home directories if they are missing

#CreateHomeDir yes



# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota 1000:10



# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

PIDFile /var/run/pure-ftpd.pid



# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.

#CallUploadScript yes



# This option is usefull with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.

MaxDiskUsage 90



# Set to 'yes' if you don't want your users to rename files.

#NoRename yes



# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.

CustomerProof yes




# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.

# PerUserLimits 3:20

hi,

ich glaube, dass die zeile
/usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf auskommentiert sein sollte.....

mfg,
matze

Das hat leider auch nichts gebracht.

ich komme immernoch mit ftp -a localhost rein. Hab dann halt zwar keine Freigaben, aber der Login klappt trotzdem.

Der Server wird bei mir so gestartet. Ich benutze virtuelle user, die auf den ftpuser gemappt sind.

-nohup pure-ftpd -l puredb:/etc/pureftpd.pdb &

Es gibt auch keinen usereinräge für anonymus oder so:

-pure-pw show anonymus
Unable to fetch info about user [anonymus] in file [/etc/pureftpd.passwd]

Das muß irgendwie an der conf liegen, aber da ist doch alles verboten!

Großes ?

ok, sorry - ab hier muss ich passen, da ich pureftp absolut nicht kenne :(

eine möglichkeit wäre vielleicht noch nach dem user ftp zu suchen, oder anonymous in die /etc/ftpaccess einzutragen ?

mfg,
matze

Jetzt habe ich das System gerafft.

Wen ich die Konfiguration laden will, muß ich die Perl-Datei ausführen.
/usr/sbin/pure-config.pl /etc/pure-ftpd.conf. Dann habe ich nur meine virtuellen User nicht mehr, die mit der -l Option geladen werden. Es wird nämlich pam benutzt

Netterweise gibt mit das Perlscript die komplette Befehlszeile in der Kommandozeile aus, so daß ich den -l Eintrag manuell ändern kann.

Das sieht dann so aus.

/usr/sbin/pure-ftpd -A -c 5 -B -C 3 -d -E -f ftp -I 15 -l puredb:/etc/pureftpd.pdb -L 2000:8 -m 4 -s -T 8 -U 133:022 -u 100 -w -r -i -O clf:/var/log/pureftpd.log -g /var/run/pure-ftpd.pid -k 90 -Z

Es werden wohl über das Perl-script die conf Einträge in Kommandozeileneinträge abgeändert.

Naja vielleicht hilft das anderen.

gruß R2K