Blocked distributed ftpd attack emails and LFD going down

[joaosavioli]

Hi,

I'm having problem with a lot of "blocked distributed ftpd attack". When it happen, sometimes I receive an alert from cpanel that lfd is down, like this "FAILED: lfd".

Is there anything that I can do to fix it?
The "DENY_IP_LIMIT" is 200 and "DENY_TEMP_IP_LIMIT" is 100. Do you recommend upgrade both to 1000?

Bt the way, has cpanel any tool to hand it?

Thank you very much.

Best!
Joao

 

[joaosavioli]

update:
When an attack is happening, I can see these lot of csf proccess running:
23134 root 20 0 176004 30372 2460 D 12.3 0.1 0:00.37 csf
23135 root 20 0 175856 30288 2456 S 12.0 0.1 0:00.36 csf
23231 root 20 0 175944 30276 2456 S 12.0 0.1 0:00.36 csf
23240 root 20 0 175888 30252 2460 S 11.6 0.1 0:00.35 csf
23328 root 20 0 175788 30276 2460 S 11.6 0.1 0:00.35 csf
23181 root 20 0 175880 30272 2460 S 10.6 0.1 0:00.32 csf
23081 root 20 0 175944 30260 2456 S 8.6 0.1 0:00.42 csf
23082 root 20 0 175860 30316 2460 S 6.6 0.1 0:00.35 csf

Cheers,
Joao

 

[cPanelLauren]

Hi @joaosavioli

I would recommend identifying whether or not you're actually experiencing a distributed FTP attack before making any modifications. What is in

/var/log/messages

for FTP logins when this is occurring?

CSF has some posts on this subject as well:
distributed FTP attacks - can LFD be set to block on acct? - ConfigServer Community Forum

We have some other similar threads as well for example:
Strange FTP Attack


Thanks!

 

[joaosavioli]

Hi!

I tried a lot of things to fix it, but every time that brute force happen with a lot of ips (more than 2000 different ips), LFD has been failed.

I think it was happening because brute force protection needs to add a lot of ips in block list at the same time.

I've fixed this problem turning off CSF brute force for FTP, IMAP and POP3, and use cphulk for this function.

Cheers
Joao