large spike in pure-ftpd attacks

[Mysticeti]

Not sure if it's just me but since march 1st For a single server I've received ~125 "Large Number of Failed Login Attempts" alerts where the service being attacked was pure-ftpd. In that same timeframe there have been just 19 such alerts for all other services combined.

The attacks seemed to kick into high gear a couple weeks ago.

 

[team_dale]

Yeah - i got a significant spike coming out of China. Distributed IP's too.

 

[cPanelMichael]

Hello,

You may want to block the IP addresses through your firewall if you have not already done so to help stop the attacks after they start.

Thank you.

 

[Mysticeti]

Hello,

You may want to block the IP addresses through your firewall if you have not already done so to help stop the attacks after they start.

Thank you.

Thanks. Yes. I've been routinely adding IP blocks to the firewall. Lately I've been tempted to use the country code block feature but I've heard that can be problemattic so I've steered clear.

 

[Infopro]

You can configure CSF to automatically handle these properly (perm block them), and even disable notifications for them if you wish. These types of attacks will come and go, its not just you. This week its ftp, next week its email, the following week, both, or neither, instead, something else.

It's very important to keep your server and all sites on it, up to date and secure. These sorts of email alerts from cPHulk and CSF are very useful to see whats going on of course, it's what you can't see going on that you need to be concerned about.

 

[Mysticeti]

You can configure CSF to automatically handle these properly (perm block them), and even disable notifications for them if you wish. These types of attacks will come and go, its not just you. This week its ftp, next week its email, the following week, both, or neither, instead, something else.

It's very important to keep your server and all sites on it, up to date and secure. These sorts of email alerts from cPHulk and CSF are very useful to see whats going on of course, it's what you can't see going on that you need to be concerned about.

Indeed. My /etc/csf/csf.deny file is chock-full (I have DENY_IP_LIMIT set to 1000; not sure I should push it any higher).

 

[Infopro]

Depending on the server, that would be a concern, you bet.

 

[Mysticeti]

I was wondering if it would be useful to do some analysis of the csf.deny file and pair down the number of individually blocked IP addresses with range based blocks?

Perhaps some tweakable heuristics could be employed. e.g. If a certain threshold percentage of single IP addresses in a given range are blocked then replace those individual blocks with the range that would block them all. Perhaps even taking the country code into affect when doing this would be useful.

 

[quizknows]

It can be done but I don't find it particularly useful for most attacks. Generally you'll see distributed attacks nowadays, though of course there are exceptions where it can be useful. Personally I find it to do more harm than good, but CSF has a setting for it if you want to try it out:

# Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK  to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same network class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"

If I were going to use this I would recommend setting LF_NETBLOCK to 1 to enable it, leaving the other settings intact as above except for LF_NETBLOCK_COUNT which I would set to 10 or so. That way if 10 IPs in one class C are blocked, the whole class C gets blocked.

 

[Mysticeti]

Thanks quizknows. It's good to know we have another arrow in the quiver should we need it.

 

[sneader]

I have had some reports from customers where they are getting an error that the FTP server says "Max of 50 users" and isn't letting them connect. This is when I found the spike of brute force attacks taking place. The bad guys are definitely using distributed IPs and are purposely throttling their password guessing, staying under the radar. I have CSF set to block IPs after a certain number of incorrect login attempts, and they are staying under that level. I've lowered the level at which I block, and also have had to increase the max FTP users to 75 in the pure-ftpd config in WHM.

- Scott