LinuxHostingSupport

Shell Script to search Failed Ftp Login Attempts

This Shell script will search the server logs on daily basis and will email you the Failed Ftp Login Attempts of the day. The ftp logs are saved in the /var/log/messages file as by default there is no separate log file for Ftp in Linux.

Create a file /home/script/failedftp.sh and paste the below code:

#!/bin/bash

#Retrieve the current date

CUR_DATE=`date +”%b %e”`

#Create a temporary file to store the logs
touch /tmp/out.txt

echo “List Follows” > /tmp/out.txt

#Search the failed attempts and save in the temporary file

/bin/grep “$CUR_DATE” /var/log/messages | grep pure-ftpd | grep failed >> /tmp/out.txt

#Email the contents of the file to your email address
/bin/mail -s “Failed Ftp Login Attempts on ‘$CUR_DATE’ ” youremail@yourdomain.com < /tmp/out.txt

Save the file. You now have to schedule a cron to execute the file once in a day to search logs. Edit the cron file

crontab -e

and add the following cron job

59 23 * * * /bin/sh /home/script/failedftp.sh

Note:

1) This script will work with Pure-Ftpd server. You will have to edit the search string a bit according to your Ftp server.

2) If you copy/paste the script as it is in shell, the single and double quotes may change to dots (.) so make sure you correct them before executing the script.

How to Disable Directory Listing? You may want to hide directory listings because by default Webservers look for an index file under every directory and if not found, they list the files and directories under it on browsing the directory.

To disable Directory Listing for an account recursively:

1) Create a .htaccess file under the directory

vi .htaccess

2) Add Options directive as follows:

Options -Indexes

3) Save the file.

You now will see a Forbidden message on accessing a directory that do not include an index file.

Error:

Error message “Error: Unable to create the domain example.com because a DNS record pointing to the host example.com already exists.”

The error message is displayed when you add a domain from Plesk control panel and it fails. The reason it fails is because the DNS records of the domain already exist in the psa database. The tables dns_recs and dns_zone holds the DNS records for a domain.

In order to add the domain example.com, you will have to remove the DNS entries from the tables dns_recs and dns_zone.

1) Goto Mysql prompt:

root@host [~]# mysql -uadmin -p `cat /etc/psa/.psa.shadow`

2) Use the psa database

mysql>  use psa;

3) Remove the DNS entries from the dns_recs and dns_zone tables:

mysql> delete from dns_recs where dns_zone_id=10;
mysql> delete from dns_zone where id=10;

where, 10 is the dns_zone_id of the domain example.com.

4) Restart the mysql service:

root@host [~]# service mysqld restart

You should now be able to add the domain from Plesk control panel successfully.

Error:

root@host [~]#  psql databasename < dump.sql

ERROR:  invalid byte sequence for encoding “UTF8”: 0xd1e9
HINT:  This error can also happen if the byte sequence does not match the encoding expected by the server, which is controlled by “client_encoding”.

The above error is received while restoring a pgsql dump and when the clicnt_encoding of the database is mismatched.

Solution:

1) Edit the dump.sql file

vi dump.sql

2) Change the line

SET client_encoding = ‘SQL_ASCII’;

to

SET client_encoding = ‘latin-1’;

i.e. you need to change the client_encoding from ‘SQL_ASCII’ to ‘latin-1’.

3) Save the file and restore the database once again.

Chkrootkit scan result: INFECTED (PORTS: 465) + Possible LKM Trojan installed

You may see the following output in the chkrootkit scan:

INFECTED (PORTS: 465)
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

The server is not infected but these are false positives.

The warning “INFECTED (PORTS: 465)” is a false alarm and can be ignored. The port 465 belogs to SMTPS service and if not in use, you can block it using iptables to avoid the false alarm.

Regarding “chkproc: Warning: Possible LKM Trojan installed”, it is generated when a process is killed and initiated when chkrootkit is running. Normally, you see whether they were php, perl or someother processes.