Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

large spike in pure-ftpd attacks

Discussion in 'Security' started by Mysticeti, Apr 1, 2015.

  1. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    55
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Southern NH
    Not sure if it's just me but since march 1st For a single server I've received ~125 "Large Number of Failed Login Attempts" alerts where the service being attacked was pure-ftpd. In that same timeframe there have been just 19 such alerts for all other services combined.

    The attacks seemed to kick into high gear a couple weeks ago.
     
    #1 Mysticeti, Apr 1, 2015
  2. team_dale

    team_dale Member

    Joined:
    Jul 9, 2014
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Yeah - i got a significant spike coming out of China. Distributed IP's too.
     
    #2 team_dale, Apr 1, 2015
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,896
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You may want to block the IP addresses through your firewall if you have not already done so to help stop the attacks after they start.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, Apr 8, 2015
  4. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    55
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Southern NH
    Thanks. Yes. I've been routinely adding IP blocks to the firewall. Lately I've been tempted to use the country code block feature but I've heard that can be problemattic so I've steered clear.
     
    #4 Mysticeti, Apr 14, 2015
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,436
    Likes Received:
    416
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can configure CSF to automatically handle these properly (perm block them), and even disable notifications for them if you wish. These types of attacks will come and go, its not just you. This week its ftp, next week its email, the following week, both, or neither, instead, something else.

    It's very important to keep your server and all sites on it, up to date and secure. These sorts of email alerts from cPHulk and CSF are very useful to see whats going on of course, it's what you can't see going on that you need to be concerned about.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 Infopro, Apr 14, 2015
  6. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    55
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Southern NH
    Indeed. My /etc/csf/csf.deny file is chock-full (I have DENY_IP_LIMIT set to 1000; not sure I should push it any higher).
     
    #6 Mysticeti, Apr 14, 2015
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,436
    Likes Received:
    416
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Depending on the server, that would be a concern, you bet.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 Infopro, Apr 14, 2015
  8. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    55
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Southern NH
    I was wondering if it would be useful to do some analysis of the csf.deny file and pair down the number of individually blocked IP addresses with range based blocks?

    Perhaps some tweakable heuristics could be employed. e.g. If a certain threshold percentage of single IP addresses in a given range are blocked then replace those individual blocks with the range that would block them all. Perhaps even taking the country code into affect when doing this would be useful.
     
    #8 Mysticeti, Jul 13, 2015
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    It can be done but I don't find it particularly useful for most attacks. Generally you'll see distributed attacks nowadays, though of course there are exceptions where it can be useful. Personally I find it to do more harm than good, but CSF has a setting for it if you want to try it out:

    Code:
    # Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK  to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same network class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"
    If I were going to use this I would recommend setting LF_NETBLOCK to 1 to enable it, leaving the other settings intact as above except for LF_NETBLOCK_COUNT which I would set to 10 or so. That way if 10 IPs in one class C are blocked, the whole class C gets blocked.
     
    #9 quizknows, Jul 13, 2015
    Mysticeti likes this.
  10. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    55
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Southern NH
    Thanks quizknows. It's good to know we have another arrow in the quiver should we need it.
     
    #10 Mysticeti, Jul 14, 2015
  11. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,155
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I have had some reports from customers where they are getting an error that the FTP server says "Max of 50 users" and isn't letting them connect. This is when I found the spike of brute force attacks taking place. The bad guys are definitely using distributed IPs and are purposely throttling their password guessing, staying under the radar. I have CSF set to block IPs after a certain number of incorrect login attempts, and they are staying under that level. I've lowered the level at which I block, and also have had to increase the max FTP users to 75 in the pure-ftpd config in WHM.

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #11 sneader, Jul 14, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - large spike pure
  1. Nakshathra

    Remove large number of files?

    Nakshathra, Oct 6, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    68
    Infopro
    Oct 10, 2018 at 4:10 AM
  2. Bashed

    Dedicated Server or Large Virtual Machine?

    Bashed, Oct 1, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    76
    cPanelLauren
    Oct 8, 2018
  3. Samet Chan

    SOLVED Disk Usage is larger issue

    Samet Chan, Aug 21, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    136
    Samet Chan
    Sep 24, 2018
  4. rdgonzalez

    The system has detected an unusually large amount of outbound email.

    rdgonzalez, Jul 30, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    121
    cPanelMichael
    Jul 31, 2018
  5. David_spm

    Unable to stop large xmlrpc spam attack

    David_spm, Jul 24, 2018, in forum: Security
    Replies:
    6
    Views:
    363
    cPanelMichael
    Jul 27, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice