ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

proFTP not blocking

https://mail.forum.configserver.com/viewtopic.php?t=6368

Page 1 of 1

proFTP not blocking

Posted: 13 Mar 2013, 09:21
by dvk01
I am getting attacks via FTP but CFS doesn't seem to be blocking them or adding them to firewall block and I have to do it manually, when I see the hourly reports

they only seem to try 1 account at a time and ONLY 1 attempt at that account , but the same IP number tries numerous different accounts. I can't see any way in CFS settings to block IPs that attempt to log in to different accounts, only settings for how many times the same account is attempted
/var/log/secure:
Mar 13 08:53:15 knight proftpd[18062]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:25 knight proftpd[18091]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER couk: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:34 knight proftpd[18150]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co111: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:37 knight proftpd[18170]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co123: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:40 knight proftpd[18203]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co123456: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:40 knight proftpd[18206]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co2010: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:43 knight proftpd[18228]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co2011: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:44 knight proftpd[18231]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co2012: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21

Re: proFTP not blocking

Posted: 13 Mar 2013, 10:39
by ForumAdmin
The proftpd regex in lfd catches those lines, so it would suggest that you have not configured FTPD_LOG correctly in csf.conf and then restarted lfd.

Re: proFTP not blocking

Posted: 13 Mar 2013, 11:21
by dvk01
thanks
I have changed the log location to /var/log/secure instead of /var/log/messages and lets see if that does it

it has always been set to messages and that has informed me of any FTP log ins whether legitimate or a problem. I suppose it is due to my recent server move or the update to CP 36.x that has caused the problem

I will see how it goes
Thanks
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited