Author Topic: RootLogin event  (Read 847 times)

Offline Moltes

  • New user
  • *
  • Posts: 11
    • View Profile
RootLogin event
« on: October 06, 2016, 11:50:15 am »
Hello,
I'm running proftpd 1.3.5b with mod_ban 0.6.2.

I would like to setup BanOnEvent using RootLogin event.
I configured proftpd using these advices (http://www.proftpd.org/docs/contrib/mod_ban.html#Usage) :
BanOnEvent mod_auth.root-login 2/00:10:00 06:00:00

But when I try to login using root username, there is no events generated.

Can you tell me how the RootLogin event is thrown ?

Thanks.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: RootLogin event
« Reply #1 on: October 07, 2016, 03:23:47 am »
Do you have "RootLogin on" in your proftpd.conf somewhere?

Offline Moltes

  • New user
  • *
  • Posts: 11
    • View Profile
Re: RootLogin event
« Reply #2 on: October 07, 2016, 07:32:11 am »
Non, RootLogin is off.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: RootLogin event
« Reply #3 on: October 07, 2016, 02:46:59 pm »
Hm, interesting.  Next question, then, is how you are determining whether a RootLogin event is generated?  Are you attempting to test the ban rule, specifically (thus requiring 2 root logins within 10 minutes), or watching for the internal "mod_auth.root-login" event to occur via logging?

Offline Moltes

  • New user
  • *
  • Posts: 11
    • View Profile
Re: RootLogin event
« Reply #4 on: October 07, 2016, 03:28:35 pm »
RootLogin isn't explicitely disabled : no RootLogin directive is configured.

I try to log in using root username.

I tried to use "BanEvent RootLogin ..." directive : no changes.

Is there any debug message that I can export ?

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: RootLogin event
« Reply #5 on: October 08, 2016, 02:40:14 pm »
Not explicitly having the RootLogin directive in your proftpd.conf is fine.  As is using "BanOnEvent RootLogin ...".

Again, I must ask how, exactly, you are testing this configuration.  Logging in as the root user, only once, is not enough, assuming you are using "BanOnEvent RootLogin 2/00:10:00 06:00:00".  You would need to connect, attempt to login as root, then disconnect.  Connect again, attempt to login as root, disconnect.  Within 10 seconds.  Is that what you are doing, or are you simply connecting one, attempting to login as root, and that is it?

Offline Moltes

  • New user
  • *
  • Posts: 11
    • View Profile
Re: RootLogin event
« Reply #6 on: October 10, 2016, 09:51:34 am »
I run Filezilla trying to connect using root username.
I try to connect. TYh server answer me "530 Login incorrect." Log files shows me "USER root: no such user found from".
Then I retry more than once without any time between 2 attempts.

When I query "ftpdctl ban info -e", there is no events logged.

I've already tried the same test on an other setup. Everything was OK and ban events were OK.

Ahve you any idea about why my new config (with the same directives) doesn't log rootLogin events ?

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: RootLogin event
« Reply #7 on: October 10, 2016, 03:30:18 pm »
Could you provide the full proftpd.conf that you are using?

Offline Moltes

  • New user
  • *
  • Posts: 11
    • View Profile
Re: RootLogin event
« Reply #8 on: October 11, 2016, 07:33:08 am »
Here is the file.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5335
    • View Profile
    • http://www.castaglia.org/
Re: RootLogin event
« Reply #9 on: October 12, 2016, 02:04:21 am »
Are you using FileZilla as an SFTP client (i.e. connecting to the <VirtualHost> defined in the /etc/proftpd-sftp.conf file), or as an FTP client?

Offline Moltes

  • New user
  • *
  • Posts: 11
    • View Profile
Re: RootLogin event
« Reply #10 on: October 12, 2016, 07:36:10 am »
Yes, I try FTP root login connections with FileZilla.
I also try to generate RootLogion events for mod_sftp using sftp command-line.
Both don't generate rootlogin events.

 

sighted planning