FTP users are inproperly blocked by CSF

Post Reply
postcd
Junior Member
Posts: 48
Joined: 15 May 2014, 17:10

FTP users are inproperly blocked by CSF

Post by postcd »

Hello,

i want to ask for advice on which CSF setting i need to modiffy to decrease IP blocking on valid IPs on FTP port.

These are entries from /var/log/messages where VALID IP was found:
May 23 02:28:00 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:28:00 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] jqyrglxg is now logged in
May 23 02:28:01 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=24798 DF PROTO=TCP SPT=63066 DPT=4714 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:28:04 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=24816 DF PROTO=TCP SPT=63066 DPT=4714 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:28:10 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=24940 DF PROTO=TCP SPT=63066 DPT=4714 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:29:11 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:29:12 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] jqyrglxg is now logged in
May 23 02:29:12 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=25661 DF PROTO=TCP SPT=63105 DPT=43853 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:29:15 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=25688 DF PROTO=TCP SPT=63105 DPT=43853 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:29:21 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=25803 DF PROTO=TCP SPT=63105 DPT=43853 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:36:39 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:36:39 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] jqyrglxg is now logged in
May 23 02:36:39 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Can't change directory to /public_html/www: No such file or directory
May 23 02:36:39 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=30367 DF PROTO=TCP SPT=63212 DPT=36930 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:36:43 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=30384 DF PROTO=TCP SPT=63212 DPT=36930 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:36:48 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=30419 DF PROTO=TCP SPT=63212 DPT=36930 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:36:59 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:37:00 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] jqyrglxg is now logged in
May 23 02:37:00 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=30556 DF PROTO=TCP SPT=63215 DPT=15848 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:37:03 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=30582 DF PROTO=TCP SPT=63215 DPT=15848 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:37:09 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=30627 DF PROTO=TCP SPT=63215 DPT=15848 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:37:34 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:37:35 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher
May 23 02:37:39 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] jqyrglxg is now logged in
May 23 02:37:40 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=30875 DF PROTO=TCP SPT=63220 DPT=59979 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:37:43 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=30893 DF PROTO=TCP SPT=63220 DPT=59979 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:37:49 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=30939 DF PROTO=TCP SPT=63220 DPT=59979 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:38:13 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:38:14 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] jqyrglxg is now logged in
May 23 02:38:14 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=31104 DF PROTO=TCP SPT=63224 DPT=9703 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:38:17 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=52 TOS=0x00 PREC=0x00 TTL=105 ID=31134 DF PROTO=TCP SPT=63224 DPT=9703 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:38:23 host1 kernel: Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=VALID_IP_HERE DST=SERVER_IP_HERE LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=31174 DF PROTO=TCP SPT=63224 DPT=9703 WINDOW=65535 RES=0x00 SYN URGP=0
May 23 02:43:01 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Timeout (no new data for 900 seconds)
May 23 02:44:12 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Timeout (no new data for 900 seconds)
May 23 02:50:15 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:50:16 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] jqyrglxg is now logged in
May 23 02:51:39 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Timeout (no new data for 900 seconds)
May 23 02:52:00 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Timeout
May 23 02:52:40 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Timeout (no new data for 900 seconds)
May 23 02:53:14 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Timeout (no new data for 900 seconds)
May 23 02:55:29 host1 pure-ftpd: (jqyrglxg@VALID_IP_HERE) [INFO] Logout.
May 23 02:55:29 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] New connection from VALID_IP_HERE
May 23 02:55:32 host1 pure-ftpd: (?@VALID_IP_HERE) [INFO] fnopgobi is now logged in
May 23 02:55:37 host1 pure-ftpd: (fnopgobi@VALID_IP_HERE) [INFO] Logout.
Alas after updating csf.allow i was requested to restart firewall so lfd.log file was emptied.
Please any idea how to eliminate blocking of inocent IPs on FTP?

My PORTFLOOD = 21;tcp;50;5
so i changed it to this:
20;tcp;20;5,21;tcp;20;5,22;tcp;5;300,25;tcp;20;2,53;tcp;20;2,80;tcp;20;5,110;tcp;20;2,143;tcp;20;2,443;tcp;20;5,465;tcp;20;2,587;tcp;20;2,993;tcp;20;2,995;tcp;20;2,2077;tcp;20;5,2078;tcp;20;5,2082;tcp;20;5,2083;tcp;20;5,2086;tcp;20;5,2087;tcp;20;5,2095;tcp;20;5,2096;tcp;20;5
Top
postcd
Junior Member
Posts: 48
Joined: 15 May 2014, 17:10

Re: FTP users are inproperly blocked by CSF

Post by postcd »

I think this iptables rule is related to log entry in first post:
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
anyone please know what this rule do or which CSF value i need to tweak?!!!!!!!!!!!!!!!!
Top
postcd
Junior Member
Posts: 48
Joined: 15 May 2014, 17:10

Re: FTP users are inproperly blocked by CSF

Post by postcd »

After csf service restart i got error:

*WARNING* Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this if you have not already done so.

(so i did "modprobe ip_conntrack_ftp" on openvz host node and also made sure this module is added to my VPS) but still same error
Top
jitendra
Junior Member
Posts: 2
Joined: 17 Aug 2015, 12:06

Re: FTP users are inproperly blocked by CSF

Post by jitendra »

I got same problem. My all the rule are suddenly stops working and all the connection to the server is blocked by IP tables.

Can someone please help me to solve this problem? What should be permanent solution for this problem?

Aug 14 05:58:54 host kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth1 SRC=Y.Y.Y.Y DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58662 DF PROTO=TCP SPT=531
16 DPT=636 WINDOW=14600 RES=0x00 SYN URGP=0 UID=524 GID=524

Here, I have already added rule to allow all the outbound connection from my server to X.X.X.X server.. But still it blocked all the outbound connection. I need to restart my firewall to again working these type of all the rule.
Top
Post Reply

Return to “General Discussion (csf)”