The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

script to scan for suspicious FTP activity?

Discussion in 'Security' started by qwerty, Nov 29, 2012.

  1. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    I have noticed that everytime we have a compromised account (thankfully this is rare) if I scan the /var/log/xferlog you can find dozens of different IPs successfully logging on with that username.

    Does anyone have a script by any chance, that can scan the xferlog and look for usernames that have logged in X number of times from X number of different IPs within X number of days ?

    eg. more than 2 different IPs logged on to acct 'someone' during last 30 days

    Or should I pay someone to write something like it? Keep in mind I don't KNOW the username, I want the whole xferlog file scanned and have the script determine if ANY ftp account is being accessed from more than 1 IP address during a specified period of time
     
  2. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Other useful script would scan xferlog for IPs from specified countries, that will alert or change FTP password if it will find any suspicious activity.
     
  3. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    actually just realized csf has something to stop this although ..its not ideal as its tied to smtp distributed attacks making it less useful

    hacked ftp accounts could be accessed by 1 unique ip in 2-3 days where as with smtp its tons of IPs in a short period of time.

    So ideally, csf should have separate settings for distributed ftp and smtp attacks (with successful logins) that way i could measure x number of successful ftp logins from x number of unique IPs over say 7 days.... and smtp much stricter ie. no more than 2 unique IPs per 24 hours
     
    #3 qwerty, Nov 29, 2012
    Last edited: Nov 29, 2012
Loading...

Share This Page