are danger "shadowserver.org" ? (they loged into my server FTP?)

000

Well-Known Member
Jun 3, 2008
427
18
68
hello,
this means 184.105.247.196 (scan-15.shadowserver.org) loged into my server:
Code:
[[email protected] ~]# journalctl --no-pager | grep 184.105.247.196
Jun 20 12:42:14 pepsi pure-ftpd[12804]: ([email protected]) [INFO] New connection from 184.105.247.196
Jun 20 12:42:15 pepsi pure-ftpd[12804]: ([email protected]) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-AES128-GCM-SHA256, 128 secret bits cipher
Jun 20 12:42:16 pepsi pure-ftpd[12804]: ([email protected]) [INFO] Logout.
[[email protected] ~]#
???

if yes, how I fix my IPTABLES rules?
if no, then what means the previous records?
 
Last edited:

quietFinn

Well-Known Member
Feb 4, 2006
1,300
127
193
Finland
cPanel Access Level
Root Administrator
hello,
this means 184.105.247.196 (scan-15.shadowserver.org) loged into my server:
Code:
[[email protected] ~]# journalctl --no-pager | grep 184.105.247.196
Jun 20 12:42:14 Ipc pure-ftpd[12804]: ([email protected]) [INFO] New connection from 184.105.247.196
Jun 20 12:42:15 Ipc pure-ftpd[12804]: ([email protected]) [INFO] TLS: Enabled TLSv1.2 with ECDHE-RSA-AES128-GCM-SHA256, 128 secret bits cipher
Jun 20 12:42:16 Ipc pure-ftpd[12804]: ([email protected]) [INFO] Logout.
[[email protected] ~]#
???

if yes, how I fix my IPTABLES rules?
if no, then what means the previous records?
They connected to your server using FTP protocol, but they did not even try to log in.

I suggest you install CSF:
 

quietFinn

Well-Known Member
Feb 4, 2006
1,300
127
193
Finland
cPanel Access Level
Root Administrator
Thanks master @quietFinn, and they are ... dangerous?, why they snooping our network?
What happened there is called "port scanning", they are checking what ports are open. That itself is not dangerous, but it's dangerous if they are able to log in.
If you don't need FTP, disable it and close port 21, otherwise make sure you disable anonymous & root logins in FTP settings, and make sure every user in your server has strong password.
 

000

Well-Known Member
Jun 3, 2008
427
18
68
What happened there is called "port scanning", they are checking what ports are open. That itself is not dangerous, but it's dangerous if they are able to log in.
If you don't need FTP, disable it and close port 21, otherwise make sure you disable anonymous & root logins in FTP settings, and make sure every user in your server has strong password.
oh quite the opposite, I couldn't get the FTP to work.

I have cPanel + CSF + CentOS 8 + PureFTP

I doit:

1// https://download.configserver.com/csf/readme.txt (#13)
2// How to Enable FTP Passive Mode - cPanel Knowledge Base - cPanel Documentation

and restart all, but FTP answer is:
Code:
Timeout detected. (data connection)
Could not retrieve directory listing
Error listing directory '/public_html'.
some idea please?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,300
127
193
Finland
cPanel Access Level
Root Administrator
in /etc/pure-ftpd.conf there is line:
PassivePortRange 49152 65534
Did you open ports 49152 -65534?

Also are you using FileZilla?
 

000

Well-Known Member
Jun 3, 2008
427
18
68
in /etc/pure-ftpd.conf there is line:
PassivePortRange 49152 65534
Did you open ports 49152 -65534?

Also are you using FileZilla?
Thanks,

in /etc/csf/csf.conf this is my line TCP_IN:

Code:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,8443,30000:35000"
and just below I add line:

Code:
PassivePortRange    30000 35000
also I create the file /var/cpanel/conf/pureftpd/local with:
Code:
ForcePassiveIP: My.IP

PassivePortRange: 49152 65534




 

quietFinn

Well-Known Member
Feb 4, 2006
1,300
127
193
Finland
cPanel Access Level
Root Administrator
You open ports 30000-35000, but PassivePortRange: 49152 65534, that is not going to work. They must be the same.
 

000

Well-Known Member
Jun 3, 2008
427
18
68
...Also are you using FileZilla?
ah!, thanks by open my ices, with your help I change the file /var/cpanel/conf/pureftpd/local with:
Code:
ForcePassiveIP: My.IP

PassivePortRange: 30000 35000
and now ALL connect fine:

  1. FileZilla-3.54.1
  2. WinSCP-5.19-Portable
  3. NicoFtp3

Many thanks master @quietFinn now I can sleep...


:) o_O ;)

in my city is 03:00

what time in your side?
 
  • Like
Reactions: cPRex