Hello,
With LF_FTPD does csf/lfd check number of connects/disconnects on FTP port ?
I have 722 lines of connects disconnects inside a 10 min period that happened today (13-Nov-2014). csf/lfd was running when this attack took place. I might have left something out in csf/lfd config for this to be dealt with.
What settings do I need to tweak to deal with this ?
///////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////
Nov 13 02:23:32 servername proftpd[16312]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:32 servername proftpd[16312]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:32 servername proftpd[16313]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:33 servername proftpd[16313]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:33 servername proftpd[16314]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:33 servername proftpd[16314]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:34 servername proftpd[16315]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:34 servername proftpd[16315]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:34 servername proftpd[16316]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:35 servername proftpd[16316]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:35 servername proftpd[16317]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:35 servername proftpd[16317]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:35 servername proftpd[16318]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:36 servername proftpd[16318]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:36 servername proftpd[16319]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:36 servername proftpd[16319]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:37 servername proftpd[16320]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:37 servername proftpd[16320]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:37 servername proftpd[16321]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:38 servername proftpd[16321]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:38 servername proftpd[16322]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:38 servername proftpd[16322]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:39 servername proftpd[16323]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:39 servername proftpd[16323]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:39 servername proftpd[16324]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:40 servername proftpd[16324]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:40 servername proftpd[16325]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:40 servername proftpd[16325]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:40 servername proftpd[16326]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:41 servername proftpd[16326]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Does csf/lfd check on number of ftp connects/disconnects
Re: Does csf/lfd check on number of ftp connects/disconnects
csf/lfd did nothing to stop or log these;
I have more FTP port attacks;
Nov 21 08:41:58 server-name proftpd[18359]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:19 server-name proftpd[18364]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:24 server-name proftpd[18371]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:30 server-name proftpd[18374]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:55 server-name proftpd[18381]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:57 server-name proftpd[18384]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:59 server-name proftpd[18385]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:10 server-name proftpd[18389]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:12 server-name proftpd[18391]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:24 server-name proftpd[18392]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:34 server-name proftpd[18401]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:38 server-name proftpd[18404]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:39 server-name proftpd[18405]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:47 server-name proftpd[18410]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:48 server-name proftpd[18411]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:53 server-name proftpd[18412]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
I have more FTP port attacks;
Nov 21 08:41:58 server-name proftpd[18359]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:19 server-name proftpd[18364]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:24 server-name proftpd[18371]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:30 server-name proftpd[18374]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:55 server-name proftpd[18381]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:57 server-name proftpd[18384]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:59 server-name proftpd[18385]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:10 server-name proftpd[18389]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:12 server-name proftpd[18391]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:24 server-name proftpd[18392]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:34 server-name proftpd[18401]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:38 server-name proftpd[18404]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:39 server-name proftpd[18405]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:47 server-name proftpd[18410]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:48 server-name proftpd[18411]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:53 server-name proftpd[18412]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Re: Does csf/lfd check on number of ftp connects/disconnects
csf if watching /var/log/secure. But not banning IPs that are failing authentication repeatedly
Re: Does csf/lfd check on number of ftp connects/disconnects
Fixed this on my own.
csf was configured to look at the wrong log file for checking FTP authentication violations. Fixed that. Its working like a charm since.
csf was configured to look at the wrong log file for checking FTP authentication violations. Fixed that. Its working like a charm since.