Issue FTP suddenly change password

[Noam Harel]

Hi

i have plesk 17.5 installed with PROftpd. somehow plesk suddenly changes password, it can be seen inside FTP logs(/var/log/secure):

Sep 14 14:32:28 cp1 proftpd: pam_unix(proftpd:session): session opened for user XXXXXX by (uid=0)
Sep 14 14:32:28 cp1 proftpd[13839]: 0.0.0.0 (46.19.86.242[46.19.86.242]) - USER XXXXXX: Login successful.
Sep 14 14:37:34 cp1 proftpd: pam_unix(proftpd:session): session closed for user XXXXXX
Sep 14 17:29:05 cp1 usermng[22026]: pam_unix(passwd:chauthtok): password changed for XXXXXXX
Sep 15 13:07:32 cp1 proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd15761 ruser=itickchak rhost=46.19.86.77 user=XXXXXX
Sep 15 13:07:34 cp1 proftpd[15761]: 0.0.0.0 (46.19.86.77[46.19.86.77]) - USER XXXXXX (Login failed): Incorrect password

Notice the bold line says password has changed without any ip source and with a time that is different from the rest.

when i check last logins with the 'last' command i see this at the same time:
root pts/0 pix.interspace.n Thu Sep 14 19:30 - 21:31 (02:00)
root pts/0 pix.interspace.n Thu Sep 14 17:26 - 18:40 (01:14)
reboot system boot 3.10.0-514.26.1. Thu Sep 14 17:25 - 15:04 (2+21:38)
root pts/0 pix.interspace.n Thu Sep 14 17:02 - crash (00:23)

notice the last bold line which indicates a crash earlier.

why plesk changes password?
please your advice

Noam

 

[UFHH01]

Hi Noam Harel,

could you pls. explain, why you think, that Plesk changes the password?

PLESK - related actions are logged inside your "panel.log". Pls. use the DEBUG - LEVEL, if you desire to deep investigate Plesk - related actions.

The domain "pix.interspace.net" resolves to "80.244.160.62" and is owned by an israeli service provider called "Interspace" which is not at all related to Plesk.
The IPs "46.19.86.242" and "46.19.86.77" point to an IP pool of an israeli cellular provider and is again not related at all to Plesk.


A system crash and therefore a depending reboot is mostly caused by hardware or software related issues and needs deeper investigations of your logs ( apache/nginx/fail2ban/debug/messages/secure/kernel/... ) and without these complete log - files, there is absolutely no way to investigate your described issues.


Only because you installed Plesk on server, it doesn't mean that it will replace the need of an system administrator, pls. keep that in mind and consider to ask for "Professional Services", provided by Plesk, in case that you need help with your server administration:

=> Plesk Admin Services​

 

[Noam Harel]

thank you for your answer, but it looks a bit aggressive,
me myself i am from interspace, one of your resellers, we have a long time business relationship and corporation. i didn't accused plesk for nothing but asked for an advice.
how do i use DEBUG - LEVEL in this case?

 

[UFHH01]

Hi Noam Harel,

how do i use DEBUG - LEVEL in this case

=> Plesk for Linux services logs and configuration files ( KB - article: 213403509 )​

Sometimes, it is as well a good idea to change the log - level ( TEMPORARILY! ), to get more informations in Plesk - log - files:

=> How to enable/disable debug logging in Plesk 11.5 and up? ( KB - article: 213408889 )​