After new CSF update, RESTRICT_SYSLOG

[Sergio]

After new CSF ver. 6.41 CSF is not blocking FTP failed attempts, I have the following config:
RESTRICT_SYSLOG = 1
LF_FTPD = 4
LF_FTPD_PERM = 1

But now LFD report is showing the following attempts:

Code: Select all

Jan 29 21:02:40 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:02:48 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:02:57 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:03:10 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:03:27 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:03:48 server pure-ftpd: (?@212.99.45.168) [ERROR] Too many authentication failures
Jan 29 21:03:53 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:01 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:12 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:24 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:40 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:01 server pure-ftpd: (?@212.99.45.168) [ERROR] Too many authentication failures
Jan 29 21:05:05 server1 pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:13 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:24 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:38 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:55 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]

and the IP is not blocked at all, this was working great before the new changes in CSF.

Please advise.

Regards,

Sergio

[ForumAdmin]

That's correct. If you set RESTRICT_SYSLOG to "1" it disables all the listed options mentioned in the settings documentation in csf.conf. Set the option to 0 or 2 if you want to keep the blocking.

[Sergio]

Thanks!
In your opinion, what is the best option to use?

[ForumAdmin]

If you understand the risks, at present I would suggest using either option 0 to remind you or option 2 to remove the warnings. I would only suggest using option 1 if you really don't trust your end-users or they regularly get hacked and the risk of getting spoofed is greater than the risk of brute-force attacks (it probably is not greater).

I would also suggest following the thread on WHT:
http://www.webhostingtalk.com/showthread.php?p=8998557

[Sergio]

Before I read the post I was trying to see if there could be a kind of hash code that syslog could add to every line truly generated by the server, right now lines comes on the way of:

Jan 31 10:51:17 server1 named[13015]: client 92.46.218.238#57368: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied
Jan 31 10:51:18 server1 named[13015]: client 92.46.218.238#50822: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied

So, what about CSF adding a hash generated from a phrase every user define like "4d23e2d5545" and added to the end of each line like this:

Jan 31 10:51:17 server1 named[13015]: client 92.46.218.238#57368: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied [4d23e2d5545]
Jan 31 10:51:18 server1 named[13015]: client 92.46.218.238#50822: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied [4d23e2d5545]

Then if the line doesn't has the hash, CSF will not take any actions on that line.

[ForumAdmin]

That is unfortunately not possible with syslog/rsyslog.

We are working on a new option that restricts write access to the syslog/rsyslog unix socket to prevent users from creating log lines, but it does have its limitations.

[Sergio]

In the mean time, What about adding in CXS something that could check if any script has some refers to syslog/rsyslog? just to start.

I know it is not a big issue right now, but now that there are a few places that are talking about this, I imagine that a lot of hackers will be trying to get that piece of cake and eventually will be a mayor issue.

It will be great to see that CSF finds a way to mitigate this.