?
Solved

On Solaris 5.9 we have ftpd daemon.error: ftpd[27184]: [ID 519079 daemon.error] user of x.x.x.x [x.x.x.x]: data connect from x.x.x.x for file list

Posted on 2006-06-07
4
Medium Priority
?
1,076 Views
Last Modified: 2013-12-27
Hi

We need to know about error on ftpd, because is a test environment and we need to apply this configuration on prodction environment.

Messages:

Jun  6 10:24:46 host1 last message repeated 1 time
Jun  6 10:38:59 host1 ftpd[27150]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.137 for file list
Jun  6 10:38:59 host1 last message repeated 1 time
Jun  6 10:39:11 host1 ftpd[27153]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.137 for file list
Jun  6 10:39:11 host1 last message repeated 1 time
Jun  6 10:39:23 host1 ftpd[27159]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.137 for file list
Jun  6 10:39:23 host1 last message repeated 1 time
Jun  6 10:39:35 host1 ftpd[27161]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.137 for file list
Jun  6 10:39:35 host1 last message repeated 1 time
Jun  6 10:40:11 host1 ftpd[27171]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.136 for file list
Jun  6 10:40:11 host1 last message repeated 1 time
Jun  6 10:40:27 host1 ftpd[27176]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.136 for file list
Jun  6 10:40:27 host1 last message repeated 1 time
Jun  6 10:40:45 host1 ftpd[27184]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.136 for file list
Jun  6 10:40:45 host1 last message repeated 1 time
Jun  6 10:41:01 host1 ftpd[27187]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.136 for file list
Jun  6 10:41:01 host1 last message repeated 1 time
Jun  6 11:30:15 host1 ftpd[28357]: [ID 519079 daemon.error] user1 of x.x.x.109 [x.x.x.109]: data connect from x.x.5.137 for file list

Could you help me?

Thankyou, regards.

maac001
0
Comment
Question by:maac001
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Brian Utterback
ID: 16855347
Sure. This message is saying that a user named user1 logged into ftpd from a system at
the IP address x.x.x.109. This user then did a "dir" command, which generally causes the
server to make a connection to the client, unless the PASV (passive) mode is in use, which
it seems to be in this case. However, the connection that was made to the server did not
come from IP address x.x.x.109, instead it came from x.x.5.137. Since this address is not
on the list of addresses that can use PASV mode and it is not the same as the IP address
the request came from, ftpd is warning you that there may be a PASV port stealing attack
going on. The question is, why is this connection coming from a different IP address? It
might be some odd NAT thing going on, or a weird network topology. Or maybe you really are using PASV mode in the classic way used before browsers started using it, and all
you need to do is set pasv-allowed for this host.
0
 

Author Comment

by:maac001
ID: 16856652
Ok, blu.

In this environment(test) we have a content switch  with x.x.x.109, it redirect to x.x.x.107 ftp server. Users connect to x.x.x.109. But, in production environment we don't have any content switch and i see the same log (less times, 1 x day).

I think to review tha configuration on client and server about PASSV mode. Could you explain me more about it?
We need to load balancing because we have more services running in this server. We have webMethods software.

Thank you for your help.

Regards.
0
 
LVL 22

Accepted Solution

by:
Brian Utterback earned 500 total points
ID: 16860842
Sure. In the normal course of affairs, FTP uses two TCP connections, one for control
information and one for data. The control connection is just like the TCP connections
made by most services, with the client initiating the connection to the server.

However, when a data connection is needed, FTP by default will have the server make a
connection to the client. The client will tell the server via the control connection that it is
listening at a particular port, and the server connects back to that port.

Passive mode reverses this normal sequence of affairs. In passive mode, the client makes
the connection for the data channel as well. It was originally unusual for an FTP transfer to use passive mode, but now with the ubiquity of firewalls, it is much more common. The FTP
protocol support in most web browsers uses it almost exclusively.

However, passive mode is susceptible to a port stealing attack. Since there is only one server, with a limited port space, it becomes feasible for an attacker to make connection attempts at random or predicted port numbers in the hope of finding one listening and about to make a file download. If it finds one, then it can read a file without authentication. This is considered a "Bad Thing".

Because having a passive connection come in from a different IP address is normally so rare, the FTP daemon yells when it detects it happening.

I hope that helps. I don't know enough about your particular network topology to say why you are getting these messages, but you should have enough info now so that you can understand them.
0
 

Author Comment

by:maac001
ID: 16862856
Thanks for your help. blu.

Best Regards.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question