Unknown in proftpd log is that normal?

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,563
Location
Maastricht
When I'm looking at /var/log/proftpd/access.log I see lines like this:

195.240.xxx.xxx UNKNOWN richard [28/Mar/2010:23:59:43 +0200] "RETR global.css" 226 8735

Why is that "unknown" there and is that normal? Just to be sure I did a yum remove proftpd and removed proftpd.

Then I used this from the help to get it back in there:
cd /usr/local/directadmin/scripts
./proftpd.sh

And after that copyed over the proftpd.conf from the templates directory to /etc and change the ip again to the correct ip.
service proftpd restart

But this did not help, the UNKNOWN in the log is still there. If I look at the other DA servers (Debian or Centos doesn't make a difference), this "unknown" is also in the log file.

So i presume this is nothing to worry about?
 
Unless you give us an entire IP# that causes UNKNOWN to be shown it's impossible to be certain, but likely either your server doesn't have working caching DNS available (see if there's any nameservers listed in your /etc/resolv.conf file, and try them manually to see if they'll work for DNS resolution) or the IP# doesn't have rDNS set up for it.

If you respond please post an entire IP# so we can do more than guess.

Thanks.

Jeff
 
The ip shouldn't matter because it's with all ip addresses on all servers running Directadmin and proftpd.
In this case it was my own ip 195.x.x.x but every log line is stated like that.

As far as I can see a caching nameserver is present, I always thought this was setup by Directadmin itself.
The resolv.conf has 4 entry's. I can do nslookups from the server so if I'm correct they are working as should be.
 
Last edited:
I fear I've led you astray; my logfiles also include that UNKNOWN field.

The access.log is an ExtendedLog, defined in the proftpd.conf file.

It appears that UNKNOWN in this case refers to the password if an anonymous user; that's so you can track passwords given by anonymous users (anonymous users can give any password but generally are supposed to give their email address as their password). It's %A in the logfile field definition.

For more information see the complete ProFTPd Documentation.

Jeff
 
Oke thank you. I just wanted to know if I needed to worry about this, but that is not the case.
Thank you for the quick help.
 
Back
Top