How can I find out what's accessing my ftp from localhost?
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I find out what's accessing my ftp from localhost?
Quote:
krondor:/var/log# tail messages
Mar 18 17:34:49 krondor -- MARK --
Mar 18 17:45:02 krondor pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Mar 18 17:45:02 krondor pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Mar 18 18:14:49 krondor -- MARK --
Mar 18 18:34:49 krondor -- MARK --
Mar 18 18:54:49 krondor -- MARK --
Mar 18 18:55:01 krondor pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Mar 18 18:55:01 krondor pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Mar 18 19:00:01 krondor pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Mar 18 19:00:01 krondor pure-ftpd: (?@127.0.0.1) [INFO] Logout.
I'm uncertain how to figure out what's causing this from showing in the log. I've looked through processes, crontabs, etc, and can't seem to find anything trying to access ftp... hope i posted in the right spot too... been a long time since i've been here...
Going by the time stamps, it looks like some sort of health check that's running at 5 minute slots .. check 'cron' and 'at' to see what you can find. Do you have anything like nagios?
Going by the time stamps, it looks like some sort of health check that's running at 5 minute slots .. check 'cron' and 'at' to see what you can find. Do you have anything like nagios?
went through each user via crontab -l -u and no one is running a 5 minute cron.
noticed though that cron was kinda borked?
Quote:
# cron
cron: can't lock /var/run/crond.pid, otherpid may be 1686: Resource temporarily unavailable
You can see from the log what time the next run is due. Why not run top just before that and just keep an eye on it. The process should show up (even if only briefly).
Another option is to use top's batch mode to automate that check; after few runs you should catch it in action.
Maybe increase the logging 'VerboseLog yes' and restart the daemon, that should tell you the user logging in and any commands performed.
got this now.. i found a batch of stuff running every 5 minutes maybe from one cron that i cannot find ;\
Code:
Mar 22 09:10:01 krondor /USR/SBIN/CRON[32707]: (getmail) CMD (/usr/local/bin/run-getmail.sh > /dev/null 2>> /var/log/ispconfig/cron.log)
Mar 22 09:10:01 krondor /USR/SBIN/CRON[32706]: (www-data) CMD ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null)
Mar 22 09:10:01 krondor /USR/SBIN/CRON[32708]: (root) CMD (/usr/local/ispconfig/server/server.sh > /dev/null 2>> /var/log/ispconfig/cron.log)
Mar 22 09:10:01 krondor pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Mar 22 09:10:01 krondor pure-ftpd: (?@127.0.0.1) [DEBUG] Command [quit] []
Mar 22 09:10:01 krondor pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Mar 22 09:10:01 krondor postfix/smtpd[32691]: connect from localhost.localdomain[127.0.0.1]
Mar 22 09:10:01 krondor postfix/smtpd[32691]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Mar 22 09:10:01 krondor postfix/smtpd[32691]: disconnect from localhost.localdomain[127.0.0.1]
Mar 22 09:10:01 krondor dovecot: pop3-login: Disconnected: rip=127.0.0.1, lip=127.0.0.1, secured
Mar 22 09:10:01 krondor dovecot: imap-login: Disconnected: rip=127.0.0.1, lip=127.0.0.1, secured
Quote:
Originally Posted by chrism01
You can see from the log what time the next run is due. Why not run top just before that and just keep an eye on it. The process should show up (even if only briefly).
Another option is to use top's batch mode to automate that check; after few runs you should catch it in action.
I tried this, lol, so hard to find a process that connects and then disconnects within the second.. especially on a cloud server...
atm, i am going to ignore it, it doesn't look bad.. was thinking i could clean up my logs by finding and stopping this, but it may be part of how ispconfig works.. [apparently, it's ispconfig]
Last edited by yanger; 03-22-2013 at 08:19 AM.
Reason: adjusted quotes...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.