Atomicorp

I use SmarterStats on a Windows box to pull http logs via FTP. This worked fine and dandy until I updated my CentOS 5 Server with Yum and then installed ASL 2.0. When I FTP from windows command line I don't seem to have a problem. But not when smarterstats tries to (see logs below). When I stop IPTABLES the problem goes away, and I havent changed the IPTABLES ruleset for about a year. I found something similar in this post http://forum.soft32.com/linux/IPTABLES- ... 48793.html but I get the following error when I try to run some of the commands. Can someone help me understand whats going on here?

Error Running Commands:
[root@web-01 vsftpd]# modprobe ip_conntrack
[root@web-01 vsftpd]# modprobe ip_conntrack_ftp ports=21
FATAL: Error inserting ip_conntrack_ftp (/lib/modules/2.6.19-7.art/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko): Operation not permitted
[root@web-01 vsftpd]# modprobe ip_nat_ftp ports=21
WARNING: Error inserting ip_conntrack_ftp (/lib/modules/2.6.19-7.art/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko): Operation not permitted
FATAL: Error inserting ip_nat_ftp (/lib/modules/2.6.19-7.art/kernel/net/ipv4/netfilter/ip_nat_ftp.ko): Operation not permitted

Error Message from SmarterStats FTP Log
: 9/24/2008 12:12:28 PM] (T:) ------------------------------------------------ (25 MB Used)
: 9/24/2008 12:12:28 PM] (T:) _test - Starting FTP Process (25 MB Used)
: 9/24/2008 12:12:28 PM] (T:) _test - FTP Connected (25 MB Used)
: 9/24/2008 12:12:28 PM] (T:) _test - FTP 220 (vsFTPd 2.0.5) (25 MB Used)
: 9/24/2008 12:12:28 PM] (T:) USER nysha-logs
(25 MB Used)
: 9/24/2008 12:12:28 PM] (T:) _test - FTP 331 Please specify the password. (25 MB Used)
: 9/24/2008 12:12:28 PM] (T:) _test - FTP PASS ********* (25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) _test - FTP 230 Login successful. (25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) CWD nysha
(25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) _test - FTP 250 Directory successfully changed. (25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) TYPE A
(25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) _test - FTP 200 Switching to ASCII mode. (25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) PASV
(25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) _test - FTP 227 Entering Passive Mode (72,43,93,61,213,244) (25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) LIST
(25 MB Used)
: 9/24/2008 12:12:29 PM] (T:) distance.nysha.org - FTP Data Session Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 72.43.93.61:50685 (25 MB Used)
: 9/24/2008 12:12:50 PM] (T:) _test - FTP Data Session Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 72.43.93.61:54772 (25 MB Used)
: 9/24/2008 12:13:08 PM] (T:) distance.nysha.org - FTP 425 Failed to establish connection. (25 MB Used)
: 9/24/2008 12:13:08 PM] (T:) distance.nysha.org - FTP Command Failed. Server reply: 425 Failed to establish connection. (25 MB Used)
: 9/24/2008 12:13:08 PM] (T:) QUIT
(25 MB Used)
: 9/24/2008 12:13:08 PM] (T:) distance.nysha.org - FTP 221 Goodbye. (25 MB Used)

SmarterStats Log with IPTables disabled
: 9/24/2008 12:11:52 PM] (T:) ------------------------------------------------ (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - Starting FTP Process (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP Connected (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 220 (vsFTPd 2.0.5) (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) USER nysha-logs
(25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 331 Please specify the password. (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP PASS ********* (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 230 Login successful. (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) CWD nysha
(25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 250 Directory successfully changed. (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) TYPE A
(25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 200 Switching to ASCII mode. (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) PASV
(25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 227 Entering Passive Mode (72,43,93,61,237,235) (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) LIST
(25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 150 Here comes the directory listing. (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP Data Session Closed (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 226 Directory send OK. (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) QUIT
(25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP -rw-r--r-- 1 0 0 927854 Feb 05 2008 20080204.log
-rw-r--r-- 1 0 0 1320666 Feb 06 2008 20080205.log
-rw-r--r-- 1 0 0 691898 Sep 24 16:07 20080924.log (25 MB Used)
: 9/24/2008 12:11:52 PM] (T:) _test - FTP 221 Goodbye. (25 MB Used)

Are there any alerts from OSSEC about it?

For security reasons ASL by default doesn't allow loading kernel modules at runtime. You probably have ALLOW_kmod_loading="no" in /etc/asl/config. Modules loaded at boot will be allowed though.

There are no OSSEC alerts associated with it.

Do you think that allowing the modules to load might be on the right track? I'll give it a try and keep you posted.

I dont think so, that sounds to me like a client setting in FTP is getting you.

So that did the trick. I did the modprobe commands after rebooting the server (after enabling runtime module loading). Before running the commands but after the reboot I tested it and it failed, then ran the commands and tested it again and it worked. Here's my next question: How do I make these commands permanent to the system's startup routine, so that I can re-disable runtime module loading?

I believe you can enable additional modules in /etc/sysconfig/iptables-config.