I'm using ubuntu 9.10 and have followed this guide when I was installing: http://www.howtoforge.com/perfect-server-ubuntu-9.10-ispconfig-3 When I try to connect to one of the accont I've made I get this error: Code: Status: Resolving address of kidd.domain.se Status: Connecting to 62.13.x.124:21... Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server". Error: Could not connect to server Status: Waiting to retry... I don't know where to find all logs, but I have one. (not sure exactly what/where its from, but the system told me that I have a new mail, "You have mail in /var/mail/root" This i what was in that file: Code: From [email protected] Thu Dec 3 06:25:47 2009 Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (localhost.localdomain [127.0.0.1]) by myhost.se (Postfix) with ESMTP id 013C3FB7B for <[email protected]>; Thu, 3 Dec 2009 06:25:47 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at myhost.se Received: from d-g.se ([127.0.0.1]) by localhost (myhost.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJxwcajblg+u for <[email protected]>; Thu, 3 Dec 2009 06:25:44 +0100 (CET) Received: by myhost.se (Postfix, from userid 0) id AD254FB71; Thu, 3 Dec 2009 06:25:44 +0100 (CET) Subject: [rkhunter] myhost.se - Daily report To: [email protected] Message-Id: <[email protected]> Date: Thu, 3 Dec 2009 06:25:44 +0100 (CET) From: [email protected] (root) Warning: The file properties have changed: File: /usr/bin/awk Current inode: 52041 Stored inode: 2380 Current file modification time: 1259789840 Stored file modification time : 1259766866 Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the rkhunter.dat file. Warning: The file '/usr/sbin/inetd' exists on the system, but it is not present in the rkhunter.dat file. Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file. Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file. Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no Warning: Hidden directory found: /dev/.udev Warning: Hidden directory found: /dev/.initramfs Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'php', version '5.2.10', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk. One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log) The file /var/log/rkhunter.log contains very much, (but almost only the error above) do you want me to post that? Where do I find more logs? (for the ftp) I get the same result from the FTP even if i try with a username and pass that I know is wrong.
The only thing I could find i that log regarding pure-ftpd was. Code: Dec 3 10:45:01 myhost pure-ftpd: ([email protected]) [INFO] New connection from localhost.localdomain Dec 3 10:45:01 myhost pure-ftpd: ([email protected]) [INFO] Logout. I found that many times.
log files are in /var/log/ that rkhunter mail is probably because you haven't updated it's database yet .. run: Code: rkhunter -propupd
Now, I got this, is that ok? Code: root@myhost:~# rkhunter --propupd [ Rootkit Hunter version 1.3.4 ] File updated: searched for 152 files, found 126
netstat -tap Code: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 mydomain.se:domain *:* LISTEN 24263/mydns tcp 0 0 localhost.locald:domain *:* LISTEN 24263/mydns tcp 0 0 *:ssh *:* LISTEN 731/sshd tcp 0 0 *:smtp *:* LISTEN 23422/master tcp 0 0 localhost.localdo:10024 *:* LISTEN 23476/amavisd (mast tcp 0 0 localhost.localdo:10025 *:* LISTEN 23422/master tcp 0 0 *:mysql *:* LISTEN 23190/mysqld tcp 0 0 mydomain.se:ssh fh67n1-sus-a11.ia:52724 ESTABLISHED 15791/0 tcp 0 0 localhost.localdo:45473 localhost.localdo:mysql ESTABLISHED 23898/amavisd (ch5- tcp 0 0 localhost.localdo:mysql localhost.localdo:45473 ESTABLISHED 23190/mysqld tcp6 0 0 localhost:domain [::]:* LISTEN 24263/mydns tcp6 0 0 [::]:ssh [::]:* LISTEN 731/sshd tcp6 0 0 [::]:https [::]:* LISTEN 5999/apache2 tcp6 0 0 [::]:imaps [::]:* LISTEN 24167/couriertcpd tcp6 0 0 [::]:pop3s [::]:* LISTEN 24203/couriertcpd tcp6 0 0 [::]:pop3 [::]:* LISTEN 24182/couriertcpd tcp6 0 0 [::]:imap2 [::]:* LISTEN 24146/couriertcpd tcp6 0 0 [::]:http-alt [::]:* LISTEN 5999/apache2 tcp6 0 0 [::]:www [::]:* LISTEN 5999/apache2 iptables -L Code: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere You have new mail in /var/mail/root Here is the mail Code: From [email protected] Fri Dec 11 06:25:39 2009 Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (localhost.localdomain [127.0.0.1]) by mydomain.se (Postfix) with ESMTP id 784BFFB95 for <[email protected]>; Fri, 11 Dec 2009 06:25:39 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mydomain.se Received: from mydomain.se ([127.0.0.1]) by localhost (mydomain.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUeB-ZIsoFtE for <[email protected]>; Fri, 11 Dec 2009 06:25:38 +0100 (CET) Received: by mydomain.se (Postfix, from userid 0) id D3B2F29CA; Fri, 11 Dec 2009 06:25:37 +0100 (CET) Subject: [rkhunter] mydomain.se - Daily report To: [email protected] Message-Id: <[email protected]> Date: Fri, 11 Dec 2009 06:25:37 +0100 (CET) From: [email protected] (root) Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no Warning: Hidden directory found: /dev/.udev Warning: Hidden directory found: /dev/.initramfs Warning: Application 'gpg', version '1.4.9', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8g', is out of date, and possibly a security risk. Warning: Application 'php', version '5.2.10', is out of date, and possibly a security risk. Warning: Application 'sshd', version '5.1p1', is out of date, and possibly a security risk.
Starting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /et c/pure-ftpd/conf/DontResolve: ".yes." not convertible to true or false In DontResolve: .yes.
