Hi, Sorry for such a basic question but up until now I have been using smartFTP which just asks for website name, user and password.
Now, I decided to try out the KomopoZer for updating one of my websites. The ftp'ed web pages get sent to a separate folder under the ftp user rather than the public_html.
Here is the settings panel:
[img size=500]http://www.heavyhoster.com/images/prime02.jpg[/img]
Now the website that I am trying to ftp to is on my server running under VirtualMin Pro and is on domain: prime-servers.com
I have set a new mail/ftp user called "primus" so Ä°ts user name in full is primus.prime@prime-servers.com
When I view the server after a "successful" publish with KompoZer I find this.
[img size=500]http://www.heavyhoster.com/images/prime03.jpg[/img]
You see, I have a new directory called primus and my new index.html is there when I really wanted it in the public_html directory.
Is this because of a setting that I have incorrectly set ?
![http://www.heavyhoster.com/images/prime02.jpg[/img]](http://www.heavyhoster.com/images/prime02.jpg[/img]){kind=link}
![http://www.heavyhoster.com/images/prime03.jpg[/img]](http://www.heavyhoster.com/images/prime03.jpg[/img]){kind=link}
I have tried to access the public_html with my
admin username and password and with this
publishing settings:
[img size=500]http://www.heavyhoster.com/images/prime04.jpg[/img]
But I always get a "530 Login incorrect" error when I try this even though I have double checked my password several times.
Please help as I am somewhat stuck :o(
What's in the logs? (secure.log and proftpd.log, probably)
--
Check out the forum guidelines!
i suggest not to block those attacks. They are constant and you'd end up blocking IP's for the rest of your adminlife and possibly blocking dynamic IP's which may end up being used by potential customers in the future
Anyway short story, have strong passwords. Keep an eye on the logs just in case one IP is attacking the server longer than a few hours
Thanks for your input :)
I just took a look at at secure log and found the last batch of entries
do not have my log-in attempts but show this:
May 18 00:51:39 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kelvin rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:39 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kelvin
May 18 00:51:44 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:44 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kennedy rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:44 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kennedy
May 18 00:51:47 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:47 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kennedy rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:47 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kennedy
May 18 00:51:51 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:51 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kennedy rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:51 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kennedy
May 18 00:51:55 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:55 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kenneth rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:55 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kenneth
May 18 00:51:59 heavyhoster vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
May 18 00:51:59 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=kenneth rhost=customer-static-123-168-138.iplannetworks.net
May 18 00:51:59 heavyhoster vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user kenneth
Does this mean someone or possibly a "bot" is trying to break in ?
I narrowed the search down to look for "prime" and got these results:
May 18 00:30:26 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=prime rhost=78.167.110.237 user=prime
May 18 00:32:40 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=prime rhost=78.167.110.237 user=prime
May 18 00:57:17 heavyhoster vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=prime rhost=78.167.110.237 user=prime
That looks like a simple authentication failure. Does user "prime" have a shell that is listed in /etc/shells?
--
Check out the forum guidelines!
In the /etc/shells file I have this:
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/bin/false
And, is prime's shell in that list?
--
Check out the forum guidelines!
I have no idea.
That is the complete list!
It doesn't mean anything to me.
The server(hardware) has over 30 servers on it, so I don't know
what this little list is supposed to be!
Hehehe...look at the user "prime" in Webmin->System->Users and Groups. What's his shell? Is it in that list? (You could also look in /etc/passwd)
--
Check out the forum guidelines!
OK _ have solved it :)
I don't know why the password was not working but I changed the
server admin password.
Interestingly when I tried to"publish" KompoZer sent the file to the "prime" directory.
To get it into the "wwww" area I had to stipulate the
public_html/ sub-directory as the location.
Anyway thanks for your help - I still have that question about all those access attempts that show up it my secure log coming in from:
customer-static-123-168-138.iplannetworks.net
(see 5 posts earlier )
What is happening here - is it some kind of attack ?
Should I block that IP address ?
Is this "normal" activity ?
Your advice/comment would be much appreciated.
Thanks again.
I don't know. Only you know who is supposed to be contacting your server, and what they're supposed to be doing with it. ;-)
I suspect yes, it is an attack. And yes, you could block it, if you want to.
--
Check out the forum guidelines!