The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

large spike in pure-ftpd attacks

Discussion in 'Security' started by Mysticeti, Apr 1, 2015.

  1. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southern NH
    Not sure if it's just me but since march 1st For a single server I've received ~125 "Large Number of Failed Login Attempts" alerts where the service being attacked was pure-ftpd. In that same timeframe there have been just 19 such alerts for all other services combined.

    The attacks seemed to kick into high gear a couple weeks ago.
     
  2. team_dale

    team_dale Member

    Joined:
    Jul 9, 2014
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yeah - i got a significant spike coming out of China. Distributed IP's too.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to block the IP addresses through your firewall if you have not already done so to help stop the attacks after they start.

    Thank you.
     
  4. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southern NH
    Thanks. Yes. I've been routinely adding IP blocks to the firewall. Lately I've been tempted to use the country code block feature but I've heard that can be problemattic so I've steered clear.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can configure CSF to automatically handle these properly (perm block them), and even disable notifications for them if you wish. These types of attacks will come and go, its not just you. This week its ftp, next week its email, the following week, both, or neither, instead, something else.

    It's very important to keep your server and all sites on it, up to date and secure. These sorts of email alerts from cPHulk and CSF are very useful to see whats going on of course, it's what you can't see going on that you need to be concerned about.
     
  6. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southern NH
    Indeed. My /etc/csf/csf.deny file is chock-full (I have DENY_IP_LIMIT set to 1000; not sure I should push it any higher).
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Depending on the server, that would be a concern, you bet.
     
  8. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southern NH
    I was wondering if it would be useful to do some analysis of the csf.deny file and pair down the number of individually blocked IP addresses with range based blocks?

    Perhaps some tweakable heuristics could be employed. e.g. If a certain threshold percentage of single IP addresses in a given range are blocked then replace those individual blocks with the range that would block them all. Perhaps even taking the country code into affect when doing this would be useful.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It can be done but I don't find it particularly useful for most attacks. Generally you'll see distributed attacks nowadays, though of course there are exceptions where it can be useful. Personally I find it to do more harm than good, but CSF has a setting for it if you want to try it out:

    Code:
    # Permanently block IPs by network class. The following enables this feature
    # to permanently block classes of IP address where individual IP addresses
    # within the same class LF_NETBLOCK_CLASS have already been blocked more than
    # LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
    # LF_NETBLOCK  to "1" to enable this feature
    #
    # This can be an affective way of blocking DDOS attacks launched from within
    # the same network class
    #
    # Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
    # consideration is required when blocking network classes A or B
    #
    # Set LF_NETBLOCK to "0" to disable this feature
    LF_NETBLOCK = "0"
    LF_NETBLOCK_INTERVAL = "86400"
    LF_NETBLOCK_COUNT = "4"
    LF_NETBLOCK_CLASS = "C"
    LF_NETBLOCK_ALERT = "1"
    
    
    If I were going to use this I would recommend setting LF_NETBLOCK to 1 to enable it, leaving the other settings intact as above except for LF_NETBLOCK_COUNT which I would set to 10 or so. That way if 10 IPs in one class C are blocked, the whole class C gets blocked.
     
    Mysticeti likes this.
  10. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southern NH
    Thanks quizknows. It's good to know we have another arrow in the quiver should we need it.
     
  11. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I have had some reports from customers where they are getting an error that the FTP server says "Max of 50 users" and isn't letting them connect. This is when I found the spike of brute force attacks taking place. The bad guys are definitely using distributed IPs and are purposely throttling their password guessing, staying under the radar. I have CSF set to block IPs after a certain number of incorrect login attempts, and they are staying under that level. I've lowered the level at which I block, and also have had to increase the max FTP users to 75 in the pure-ftpd config in WHM.

    - Scott
     
Loading...

Share This Page