ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

After new CSF update, RESTRICT_SYSLOG

https://mail.forum.configserver.com/viewtopic.php?t=7384

Page 1 of 1

After new CSF update, RESTRICT_SYSLOG

Posted: 30 Jan 2014, 23:34
by Sergio
After new CSF ver. 6.41 CSF is not blocking FTP failed attempts, I have the following config:
RESTRICT_SYSLOG = 1
LF_FTPD = 4
LF_FTPD_PERM = 1

But now LFD report is showing the following attempts:

Code: Select all

Jan 29 21:02:40 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:02:48 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:02:57 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:03:10 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:03:27 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:03:48 server pure-ftpd: (?@212.99.45.168) [ERROR] Too many authentication failures
Jan 29 21:03:53 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:01 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:12 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:24 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:04:40 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:01 server pure-ftpd: (?@212.99.45.168) [ERROR] Too many authentication failures
Jan 29 21:05:05 server1 pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:13 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:24 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:38 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
Jan 29 21:05:55 server pure-ftpd: (?@212.99.45.168) [WARNING] Authentication failed for user [Administrator]
and the IP is not blocked at all, this was working great before the new changes in CSF.

Please advise.

Regards,

Sergio

Re: After new CSF update, FTP block is not working.

Posted: 31 Jan 2014, 08:26
by ForumAdmin
That's correct. If you set RESTRICT_SYSLOG to "1" it disables all the listed options mentioned in the settings documentation in csf.conf. Set the option to 0 or 2 if you want to keep the blocking.

Re: After new CSF update, FTP block is not working.

Posted: 31 Jan 2014, 13:22
by Sergio
Thanks!
In your opinion, what is the best option to use?

Re: After new CSF update, FTP block is not working.

Posted: 31 Jan 2014, 16:00
by ForumAdmin
If you understand the risks, at present I would suggest using either option 0 to remind you or option 2 to remove the warnings. I would only suggest using option 1 if you really don't trust your end-users or they regularly get hacked and the risk of getting spoofed is greater than the risk of brute-force attacks (it probably is not greater).

I would also suggest following the thread on WHT:
http://www.webhostingtalk.com/showthread.php?p=8998557

Re: After new CSF update, FTP block is not working.

Posted: 31 Jan 2014, 17:00
by Sergio
Before I read the post I was trying to see if there could be a kind of hash code that syslog could add to every line truly generated by the server, right now lines comes on the way of:
Jan 31 10:51:17 server1 named[13015]: client 92.46.218.238#57368: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied
Jan 31 10:51:18 server1 named[13015]: client 92.46.218.238#50822: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied
So, what about CSF adding a hash generated from a phrase every user define like "4d23e2d5545" and added to the end of each line like this:
Jan 31 10:51:17 server1 named[13015]: client 92.46.218.238#57368: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied [4d23e2d5545]
Jan 31 10:51:18 server1 named[13015]: client 92.46.218.238#50822: view external: query (cache) 'alt2.aspmx.l.google.com/A/IN' denied [4d23e2d5545]
Then if the line doesn't has the hash, CSF will not take any actions on that line.

Re: After new CSF update, FTP block is not working.

Posted: 31 Jan 2014, 17:03
by ForumAdmin
That is unfortunately not possible with syslog/rsyslog.

We are working on a new option that restricts write access to the syslog/rsyslog unix socket to prevent users from creating log lines, but it does have its limitations.

Re: After new CSF update, FTP block is not working.

Posted: 31 Jan 2014, 17:19
by Sergio
In the mean time, What about adding in CXS something that could check if any script has some refers to syslog/rsyslog? just to start.

I know it is not a big issue right now, but now that there are a few places that are talking about this, I imagine that a lot of hackers will be trying to get that piece of cake and eventually will be a mayor issue.

It will be great to see that CSF finds a way to mitigate this.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited