
0 votes
Connection to ftp is working but I have a lots of errors
I have 10 connections / min for pool incoming file and is very annoying with 4 failure log on each connection:
Connection is from internal network and from external trough openvpn to internal ip

Oct 28 20:34:37 server proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd25820 ruser=user01 rhost= user=user01
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session opened for server user01 by (uid=0)
Oct 28 20:34:37 server proftpd[25820]: ([]) - server user01: Login successful.
Oct 28 20:34:37 server proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory
Oct 28 20:34:37 server proftpd: pam_systemd(proftpd:session): Failed to connect to system bus: No such file or directory
Oct 28 20:34:37 server proftpd: pam_unix(proftpd:session): session closed for server user01
Oct 28 20:34:37 server proftpd: pam_ldap(proftpd:session): error opening connection to nslcd: No such file or directory
Monday, October 28 2019, 07:46 PM
Share this post:
Responses (6)
  • Accepted Answer

    Monday, October 28 2019, 08:53 PM - #Permalink
    0 votes
    Rsyslog contains some good filtering possibilities. I have a number of filters for proftpd although they can probably be combined. Create a file /etc/rsyslog.d/anything_you_like.conf but it must end in .conf. A section of my file reads:
    # ProFTPD
    if ($programname == 'proftpd' and $msg contains 'ourfamily') then stop
    if ($programname == 'proftpd' and $msg contains 'Unable to open config file: /etc/security/pam_env.conf: Permission denied') then stop
    if ($programname == 'proftpd' and $msg contains 'Failed to connect to system bus: Permission denied') then stop
    if ($programname == 'proftpd' and $msg contains 'error opening connection to nslcd: Permission denied') then stop
    if ($programname == "systemd-logind") and (($msg contains "New session" and $msg contains "ourfamily") or $msg contains "Removed session") then stop
    Modify it as you like and combine lines if you want. Restart the rsyslog service after making any changes.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 01:56 PM - #Permalink
    0 votes
    I know how to remove them but it is not particularly a good idea. You can edit /etc/clearos/events.d/20-user-auth.conf, I think and add your own filter. The problem is that this is considered a system configuration file. If you change it then a new rpm will not update it any more. With 7.6 we pushed out a critical update to one of these files and or the people who had edited theirs, they did not get the update. Instead an /etc/clearos/events.d/20-user-auth.conf.rpmnew is created. It may also be possible to edit /etc/pam.d/system-auth-ac but I've had mixed success there.

    You can prune the events database quickly with:
    systemctl stop clearsync.service
    rm -f /var/lib/csplugin-events/events.db
    systemctl start clearsync.service
    There may be neater ways for just the proftpd events.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 01:32 PM - #Permalink
    0 votes
    solved for all logs in var/log/secure
    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session opened for user user by (uid=0)
    Oct 29 15:26:04 server proftpd[10651]: ([]) - USER user: Login successful.
    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session closed for user user

    however in webapp https://server:81/app/events I have one failure log on each login

    Authentication failure for user via proftpd from 2019-10-29 15:26:04
    User user logged in via proftpd 2019-10-29 15:26:04
    User user logged out via proftpd 2019-10-29 15:26:04

    and another 100.000 ... I press acknowledge all and after a while i have few thousand or tens of thousand to acknowledge
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 01:46 PM - #Permalink
    0 votes
    solved for /var/log/secure

    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session opened for user user by (uid=0)
    Oct 29 15:26:04 server proftpd[10651]: ([]) - USER user: Login successful.
    Oct 29 15:26:04 server proftpd: pam_unix(proftpd:session): session closed for user user

    still present in webapp event and notification

    Authentication failure for user via proftpd from 2019-10-29 15:26:04
    User user logged in via proftpd 2019-10-29 15:26:04
    User user logged out via proftpd 2019-10-29 15:26:04
    Another issue with event and notifications is with acknowledge message ... I press button event is cleared and appear again few thousand

    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 29 2019, 05:51 PM - #Permalink
    0 votes
    Nick Howitt wrote:

    I know how to remove them but it is not particularly a good idea. You can edit /etc/clearos/events.d/20-user-auth.conf, I think and add your own filter. The problem is that this is considered a system configuration file. If you change it then a new rpm will not update it any more. With 7.6 we pushed out a critical update to one of these files and or the people who had edited theirs, they did not get the update. Instead an /etc/clearos/events.d/20-user-auth.conf.rpmnew is created. It may also be possible to edit /etc/pam.d/system-auth-ac but I've had mixed success there.

    to remove what ? all failure login ? no no no.... What is the point for this alert if I will filter out?
    What I did with previous message was to filter some message not to enter in log file...
    I hope someone will point me into right direction to make a settings to prevent this message to appear in first place. is not normal for a authentication mechanism to work and generate 5 failure message .... this is generated by incorrectly configured service or/and authentication methods to that service.
    I am not an expert but /etc/pam.d/system-auth-ac file is generated by authconfig ? maybe in this file some line are in incorrect order or with incorrect parameters ?

    Nick Howitt wrote:
    You can prune the events database quickly with:
    systemctl stop clearsync.service
    rm -f /var/lib/csplugin-events/events.db
    systemctl start clearsync.service
    There may be neater ways for just the proftpd events.

    this did the job , thanks
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 15 2022, 10:38 AM - #Permalink
    0 votes
    Is there still no solution, i have a camera connecting by FTP this will generate thousends of errors, very enoying.
    The reply is currently minimized Show
Your Reply