failed ftp logins

[keat63]

Of late, I'm seeing a number of failed ftp logins.
I'm aware that HostAccessControl has no effect on pureftp.

What I a little confused with is CSF has port 20 and 21 closed, so I'm not sure how these are getting through.

Nov 18 16:13:29 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:29 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:29 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:30 leeds pure-ftpd: ([email protected]) [INFO] New connection from 123.232.19.90
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [name]
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [INFO] Logout.
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [INFO] Logout.
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [www]
Nov 18 16:13:35 leeds pure-ftpd: ([email protected]) [INFO] Logout.
Nov 18 16:13:36 leeds pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [anonymous]
Nov 18 16:13:36 leeds pure-ftpd: ([email protected]) [INFO] Logout.

Messages log doesn't show me if these attempts are via any other port.

Any ideas ?

 

[24x7server]

Hi,

Can you check if those ports are still listening on those ports?
# netstat -anpt | grep :21

If you do not want to have connection on those port, then it will best for you to just change the BIND section to different port, so you can change it to different port than common 21 for FTP.
# cat /etc/pure-ftpd.conf | grep Bind

 

[keat63]

The Netstat didn't reveal anything.
And there are no entries in messages/log since this morning, however, i've no doubt that i'll find them again in the morning.

Maybe changing the FTP port isn't a bad idea

 

[cPanelLauren]

A more accurate way to determine whether or not a port is open would be to run something similar to the following from outside your server:

sudo nmap -sU -sT <IPADDRESS> -p 20,21

Starting Nmap 7.00 ( https://nmap.org ) at 2019-11-20 17:20 CST
Nmap scan report for <HOSTNAME> (<IPADDRESS>)
Host is up (0.010s latency).
PORT   STATE  SERVICE
20/tcp closed ftp-data
21/tcp open   ftp
20/udp closed ftp-data
21/udp closed ftp

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

netstat will just show you what is listening on those ports, and it's perfectly reasonable to expect FTP to be listening on 20 and 21.

To see what iptables has blocked you can view:

iptables -L -n

 

[keat63]

As there is really only myself who has FTP access, I configured CSF to ban on a single ftp login failure.
I'm no longer seeing any failed ftp logins, but this might just mean that they admitted defeat and went away.