That stopped the messages in ban.log but didn't fix the problem. I suspect the excessive connections were a symptom not the cause.
I looked in var/log/messages and I see a bunch of lines like this, not sure what they mean or why the are occurring now and not previously. Customer would be using site admin credentials, wouldn't even know root login. Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - ROOT PRIVS: unable to seteuid(): Operation not permitted Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - ROOT PRIVS: unable to setegid(): Operation not permitted Jul 30 14:31:06 blueonyx proftpd[5435]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - RELINQUISH PRIVS: unable to seteuid(PR_ROOT_UID): Operation not permitted Jul 30 14:31:06 blueonyx proftpd[5434]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - ROOT PRIVS: unable to seteuid(): Operation not permitted Jul 30 14:31:06 blueonyx proftpd[5434]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - ROOT PRIVS: unable to setegid(): Operation not permitted Jul 30 14:31:06 blueonyx proftpd[5434]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - RELINQUISH PRIVS: unable to seteuid(PR_ROOT_UID): Operation not permitted Jul 30 14:31:06 blueonyx xinetd[4347]: START: ftp pid=5436 from=::ffff:198.74.49.1 53 Jul 30 14:31:08 blueonyx proftpd[5436]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - ROOT PRIVS: unable to seteuid(): Operation not permitted Jul 30 14:31:08 blueonyx proftpd[5436]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - ROOT PRIVS: unable to setegid(): Operation not permitted Jul 30 14:31:08 blueonyx proftpd[5436]: 69.49.197.254 (198.74.49.153[198.74.49.153 ]) - RELINQUISH PRIVS: unable to seteuid(PR_ROOT_UID): Operation not permitted -----Original Message----- From: Blueonyx <blueonyx-boun...@mail.blueonyx.it> On Behalf Of Michael Stauber Sent: Tuesday, July 30, 2019 12:20 PM To: blueonyx@mail.blueonyx.it Subject: [BlueOnyx:23043] Re: CushyCMS and ProFTPD Hi Ken, > Given the timeframe, I am wondering if this is related to the recent > update to ProFTPD. I am seeing a bunch of zero second connections > from the CushyCMS IP address and in ban.log I am seeing that IP > address getting banned due to excessive client connection rate. I > have not edited those settings, it appears that >30 connections in 60 > seconds will get the IP banned for 1 hour. This only seems to have > started happening in the past week or so, but as near as I can > determine, the mod_ban configuration is not new, I dont think the > recent update changed it. What's different is that the new ProFTPd has mod_ban and mod_geoip activated by default. In your case it's most likely mod_ban that is causing the issues. In both /etc/proftpd.conf and /etc/proftpds.conf you have that in this section: # mod_ban configuration: <IfModule mod_ban.c> BanEngine on BanLog /var/log/proftpd/ban.log BanTable /var/log/proftpd/ban.tab BanOnEvent MaxLoginAttempts 30/00:10:00 00:30:00 BanOnEvent ClientConnectRate 30/00:01:00 01:00:00 BanControlsACLs all allow group wheel </IfModule> I stripped out the comments in this email as they would line wrap. Just comment out this section in /etc/proftpd.conf and /etc/proftpds.conf by putting a "#" at the beginning of each line of that block and restart xinetd: service xinetd restart ...or... systemctl restart xinetd Then see if that helps. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx