Page 1 of 1

CSF not blocking proftpd brute force on Parallels H-Sphere

Posted: 19 Oct 2012, 13:09
by dynamicnet
Good day:

Parallels H-Sphere logs to /var/log/proftpd/current for proftpd

The format for no such users is as below:

Code: Select all

@4000000050813b0f0dc55a3c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER .DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b1334953c2c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b2014318c4c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b30154e3f1c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b381374201c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER webmaster@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b502f782efc OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER .DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b521cdd9854 OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b6503cab9dc OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b861d112f5c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b9113a9e5bc OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER webmaster@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b960100acfc OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER .DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813b9902ed13ac OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813bd302293324 OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813bd40ba9021c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813be224a27c94 OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813c05124a6944 OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER webmaster@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813c25210ea38c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER .DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813c490cbb8f44 OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813c5820944f24 OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER admin@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813c650456dcdc OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813c7b00d5091c OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER webmaster@DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
@4000000050813c9e1a0ca9bc OUR_SERVER_IP (119.131.139.79[119.131.139.79]) - USER DOMAIN_NAME: no such user found from 119.131.139.79 [119.131.139.79] to OUR_SERVER_IP:21
We have the threshold for LF_FTPD set to 5; and yet brute force attempts are not blocked.

Of note, I did try use the auth.log but the auth.log uses a code such as 530 to denote a bad login attempt rather than the words "no such user"

Please fix or otherwise advise as to what needs to change on Parallels H-Sphere based servers.

Thank you.

Re: CSF not blocking proftpd brute force on Parallels H-Sphe

Posted: 01 Mar 2013, 14:10
by Ricky
Are you still facing this problem or you have found solution ?