ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

FTP failed attempts IP address not blocked by CSF/LFD

https://mail.forum.configserver.com/viewtopic.php?t=12328

Page 1 of 1

FTP failed attempts IP address not blocked by CSF/LFD

Posted: 10 Nov 2021, 11:53
by Stevan
Hello Team,

I need urgent help for CSF issue. On our production server FTP failed attempts not blocked by csf. I am really frustrated and I am literally checking this issue since 4 days.

For example:

Nov 10 04:27:52 w212 pure-ftpd[3269518]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
Nov 10 04:27:52 w212 pure-ftpd[3269518]: (?@152.57.198.52) [INFO] Logout.
Nov 10 04:27:58 w212 pure-ftpd[3269638]: (?@152.57.198.52) [INFO] New connection from 152.57.198.52
Nov 10 04:28:00 w212 pure-ftpd[3269638]: (?@152.57.198.52) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 10 04:28:04 w212 pure-ftpd[3269638]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
Nov 10 04:28:04 w212 pure-ftpd[3269638]: (?@152.57.198.52) [INFO] Logout.
Nov 10 04:28:10 w212 pure-ftpd[3269867]: (?@152.57.198.52) [INFO] New connection from 152.57.198.52
Nov 10 04:28:11 w212 pure-ftpd[3269867]: (?@152.57.198.52) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 10 04:28:17 w212 pure-ftpd[3269867]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
Nov 10 04:28:17 w212 pure-ftpd[3269867]: (?@152.57.198.52) [INFO] Logout.
Nov 10 04:37:22 w212 pure-ftpd[3280439]: (?@152.57.198.52) [INFO] New connection from 152.57.198.52
Nov 10 04:37:24 w212 pure-ftpd[3280439]: (?@152.57.198.52) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 10 04:37:29 w212 pure-ftpd[3280439]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
Nov 10 04:37:30 w212 pure-ftpd[3280439]: (?@152.57.198.52) [INFO] Logout.
Nov 10 04:37:37 w212 pure-ftpd[3280832]: (?@152.57.198.52) [INFO] New connection from 152.57.198.52
Nov 10 04:37:38 w212 pure-ftpd[3280832]: (?@152.57.198.52) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 10 04:37:44 w212 pure-ftpd[3280832]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
Nov 10 04:37:45 w212 pure-ftpd[3280832]: (?@152.57.198.52) [INFO] Logout.
Nov 10 04:40:26 w212 pure-ftpd[3283491]: (?@152.57.198.52) [INFO] New connection from 152.57.198.52
Nov 10 04:40:27 w212 pure-ftpd[3283491]: (?@152.57.198.52) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 10 04:40:32 w212 pure-ftpd[3283491]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
Nov 10 04:40:33 w212 pure-ftpd[3283491]: (?@152.57.198.52) [INFO] Logout.
Nov 10 04:50:07 w212 pure-ftpd[3294753]: (?@152.57.198.52) [INFO] New connection from 152.57.198.52
Nov 10 04:50:09 w212 pure-ftpd[3294753]: (?@152.57.198.52) [INFO] TLS: Enabled TLSv1.3 with TLS_AES_256_GCM_SHA384, 256 secret bits cipher
Nov 10 04:50:14 w212 pure-ftpd[3294753]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
Nov 10 04:50:14 w212 pure-ftpd[3294753]: (?@152.57.198.52) [INFO] Logout.

The IP address doing 152.57.198.52 doing failed login attempts from filezilla, but still IP address not blocked by csf. CSF is working fine all other services like POP,IMAP,SMTP.

I have checked the CSF configuration file and could see that limits are correctly defined in csf configuration file, to track login failure of ftp connections

LF_FTPD = "10"
LF_FTPD_PERM = "1"

Also, LF_DAEMON = "1" and LF_TRIGGER = "0" set correctly.

Can you please help ? This is urgent for me. I can provide you output of any commands from the server.

Regards,
Akshay Borse

Re: FTP failed attempts IP address not blocked by CSF/LFD

Posted: 17 Nov 2021, 14:50
by Sergio
@Akshay,
CSF is working as you configured it, in your definition you have "LF_FTPD = 10" that means that you are giving "10" times for the IP to try to connect to FTP before it is "LF_FTPD_PERM = 1" permanently blocked, but if the attacker just did 7 as on your report, the IP is not blocked and it could try again later and the count will start from zero, meaning that the IP will not be blocked until it does 10 failed connections.

Try the following:
- Change LF_FTPD to a lower number like 3.

Advanced settings, do it only if you feel comfortably doing it, I don't assume any responsibility:
- If you know what countries can connect to your server FTP, delete FTP ports from TCP IN/OUT and add those countries to:
CC_ALLOW_PORTS =
and add the FTP ports that you use to:
CC_ALLOW_PORTS_TCP =
on doing this you will only allow FTP connections to the countries that you want.

Example:
CC_ALLOW_PORTS = US, GB
(country codes of United States and United Kingdom)
CC_ALLOW_PORTS_TCP = 20,21

Remember that FTP can use Passive Ports and you can add them to that line.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited