ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Does csf/lfd check on number of ftp connects/disconnects

https://mail.forum.configserver.com/viewtopic.php?t=8252

Page 1 of 1

Does csf/lfd check on number of ftp connects/disconnects

Posted: 13 Nov 2014, 05:10
by hariskhan
Hello,

With LF_FTPD does csf/lfd check number of connects/disconnects on FTP port ?

I have 722 lines of connects disconnects inside a 10 min period that happened today (13-Nov-2014). csf/lfd was running when this attack took place. I might have left something out in csf/lfd config for this to be dealt with.

What settings do I need to tweak to deal with this ?

///////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////

Nov 13 02:23:32 servername proftpd[16312]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:32 servername proftpd[16312]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:32 servername proftpd[16313]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:33 servername proftpd[16313]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:33 servername proftpd[16314]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:33 servername proftpd[16314]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:34 servername proftpd[16315]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:34 servername proftpd[16315]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:34 servername proftpd[16316]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:35 servername proftpd[16316]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:35 servername proftpd[16317]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:35 servername proftpd[16317]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:35 servername proftpd[16318]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:36 servername proftpd[16318]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:36 servername proftpd[16319]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:36 servername proftpd[16319]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:37 servername proftpd[16320]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:37 servername proftpd[16320]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:37 servername proftpd[16321]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:38 servername proftpd[16321]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:38 servername proftpd[16322]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:38 servername proftpd[16322]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:39 servername proftpd[16323]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:39 servername proftpd[16323]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:39 servername proftpd[16324]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:40 servername proftpd[16324]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:40 servername proftpd[16325]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:40 servername proftpd[16325]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.
Nov 13 02:23:40 servername proftpd[16326]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session opened.
Nov 13 02:23:41 servername proftpd[16326]: xx.xx.x.xxx (110.171.7.171[110.171.7.171]) - FTP session closed.

Re: Does csf/lfd check on number of ftp connects/disconnects

Posted: 21 Nov 2014, 11:11
by hariskhan
csf/lfd did nothing to stop or log these;

I have more FTP port attacks;

Nov 21 08:41:58 server-name proftpd[18359]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:19 server-name proftpd[18364]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:24 server-name proftpd[18371]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:30 server-name proftpd[18374]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:55 server-name proftpd[18381]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:57 server-name proftpd[18384]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:42:59 server-name proftpd[18385]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:10 server-name proftpd[18389]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:12 server-name proftpd[18391]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:24 server-name proftpd[18392]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:34 server-name proftpd[18401]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:38 server-name proftpd[18404]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:39 server-name proftpd[18405]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:47 server-name proftpd[18410]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username123: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:48 server-name proftpd[18411]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER username.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21
Nov 21 08:43:53 server-name proftpd[18412]: xxx.xx.xxx.xx (118.250.11.62[118.250.11.62]) - USER wwwusername.comau: no such user found from 118.250.11.62 [118.250.11.62] to ::ffff:xxx.xx.xxx.xx:21

Re: Does csf/lfd check on number of ftp connects/disconnects

Posted: 21 Nov 2014, 11:18
by hariskhan
csf if watching /var/log/secure. But not banning IPs that are failing authentication repeatedly

Re: Does csf/lfd check on number of ftp connects/disconnects

Posted: 25 Nov 2014, 03:58
by hariskhan
Fixed this on my own.

csf was configured to look at the wrong log file for checking FTP authentication violations. Fixed that. Its working like a charm since.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited