The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

large spike in pure-ftpd attacks

Discussion in 'Security' started by Mysticeti, Apr 1, 2015.

  1. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    49
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Southern NH
    Not sure if it's just me but since march 1st For a single server I've received ~125 "Large Number of Failed Login Attempts" alerts where the service being attacked was pure-ftpd. In that same timeframe there have been just 19 such alerts for all other services combined.

    The attacks seemed to kick into high gear a couple weeks ago.
     
    #1 Mysticeti, Apr 1, 2015
  2. team_dale

    team_dale Member

    Joined:
    Jul 9, 2014
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Yeah - i got a significant spike coming out of China. Distributed IP's too.
     
    #2 team_dale, Apr 1, 2015
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,394
    Likes Received:
    1,212
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to block the IP addresses through your firewall if you have not already done so to help stop the attacks after they start.

    Thank you.
     
    #3 cPanelMichael, Apr 8, 2015
  4. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    49
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Southern NH
    Thanks. Yes. I've been routinely adding IP blocks to the firewall. Lately I've been tempted to use the country code block feature but I've heard that can be problemattic so I've steered clear.
     
    #4 Mysticeti, Apr 14, 2015
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,553
    Likes Received:
    292
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can configure CSF to automatically handle these properly (perm block them), and even disable notifications for them if you wish. These types of attacks will come and go, its not just you. This week its ftp, next week its email, the following week, both, or neither, instead, something else.

    It's very important to keep your server and all sites on it, up to date and secure. These sorts of email alerts from cPHulk and CSF are very useful to see whats going on of course, it's what you can't see going on that you need to be concerned about.
     
    #5 Infopro, Apr 14, 2015
  6. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    49
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Southern NH
    Indeed. My /etc/csf/csf.deny file is chock-full (I have DENY_IP_LIMIT set to 1000; not sure I should push it any higher).
     
    #6 Mysticeti, Apr 14, 2015
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,553
    Likes Received:
    292
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Depending on the server, that would be a concern, you bet.
     
    #7 Infopro, Apr 14, 2015
  8. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    49
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Southern NH
    I was wondering if it would be useful to do some analysis of the csf.deny file and pair down the number of individually blocked IP addresses with range based blocks?

    Perhaps some tweakable heuristics could be employed. e.g. If a certain threshold percentage of single IP addresses in a given range are blocked then replace those individual blocks with the range that would block them all. Perhaps even taking the country code into affect when doing this would be useful.
     
    #8 Mysticeti, Jul 13, 2015
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    981
    Likes Received:
    73
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    It can be done but I don't find it particularly useful for most attacks. Generally you'll see distributed attacks nowadays, though of course there are exceptions where it can be useful. Personally I find it to do more harm than good, but CSF has a setting for it if you want to try it out:

    Code:
    # Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK  to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same network class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"
    If I were going to use this I would recommend setting LF_NETBLOCK to 1 to enable it, leaving the other settings intact as above except for LF_NETBLOCK_COUNT which I would set to 10 or so. That way if 10 IPs in one class C are blocked, the whole class C gets blocked.
     
    #9 quizknows, Jul 13, 2015
    Mysticeti likes this.
  10. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    49
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Southern NH
    Thanks quizknows. It's good to know we have another arrow in the quiver should we need it.
     
    #10 Mysticeti, Jul 14, 2015
  11. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,145
    Likes Received:
    31
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I have had some reports from customers where they are getting an error that the FTP server says "Max of 50 users" and isn't letting them connect. This is when I found the spike of brute force attacks taking place. The bad guys are definitely using distributed IPs and are purposely throttling their password guessing, staying under the radar. I have CSF set to block IPs after a certain number of incorrect login attempts, and they are staying under that level. I've lowered the level at which I block, and also have had to increase the max FTP users to 75 in the pure-ftpd config in WHM.

    - Scott
     
    #11 sneader, Jul 14, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - large spike pure
  1. mathfrick

    Row Size too large error

    mathfrick, Jul 14, 2017, in forum: Database Discussions
    Replies:
    1
    Views:
    57
    cPanelMichael
    Jul 14, 2017
  2. sneader

    SOLVED Bash script to find large error_log files? Run as cron?

    sneader, Mar 29, 2017, in forum: Workarounds and Optimization
    Replies:
    6
    Views:
    340
    cPanelMichael
    Mar 29, 2017
  3. webmasteryoda

    SOLVED Best way to transfer very large accounts

    webmasteryoda, Mar 23, 2017, in forum: Data Protection
    Replies:
    7
    Views:
    500
    webmasteryoda
    May 1, 2017
  4. sagarR

    Locate large email attachments

    sagarR, Mar 17, 2017, in forum: E-mail Discussions
    Replies:
    1
    Views:
    219
    cPanelMichael
    Mar 17, 2017
  5. Rodrigo Gomes

    Blocking large amount of spam domains

    Rodrigo Gomes, Feb 26, 2017, in forum: E-mail Discussions
    Replies:
    5
    Views:
    465
    Rodrigo Gomes
    Mar 2, 2017

Share This Page