Strange FTP Attack

M

markb14391

Well-Known Member
Jun 9, 2008
305
2
68
Hi,

I'm wondering if anyone has experienced (and successfully thwarted) an attack like we're seeing.

Clients are unable to login to FTP: "421 50 users (the maximum) are already logged in, sorry". However, this box has far more FTP slots than clients, so I know this isn't just a case of all slots being full from legitimate use.

So I check the active FTP connections:

Code: 
ps aux | grep ftp
root     25877  0.0  0.0   6424  1564 ?        Ss   20:08   0:00 pure-ftpd (SERVER)                                                                                                                                                                                                                                                    
root     25879  0.0  0.0   6152  1228 ?        S    20:08   0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth
root     26313  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26314  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26315  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26316  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26319  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26320  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26321  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26322  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26323  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26324  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26335  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26336  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26337  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26338  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26343  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26344  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26345  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26346  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26347  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26348  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26349  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26350  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26351  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26352  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26353  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26354  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26360  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26361  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26366  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26367  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26368  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26369  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26370  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26371  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26372  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26373  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26375  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26376  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26377  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26378  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26379  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26380  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26381  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26382  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26383  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26384  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26385  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26386  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26390  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26391  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26394  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26395  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26441  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26442  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26456  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26457  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26462  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26463  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26477  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26478  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26493  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26494  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26511  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26512  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26521  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26522  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     26532  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     26533  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     27694  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     27695  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     27699  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     27701  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     27988  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     27989  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     28243  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     28244  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     28270  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     28271  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     28294  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     28295  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     28297  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     28298  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     28299  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
root     28300  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
root     28302  0.0  0.0   3100   764 pts/0    S+   20:10   0:00 grep ftp
And the connections are from a variety of IP addresses, all of which seem to be from Asia:

Code: 
netstat -tpn | grep pure-ftpd | awk '{print $5}' | cut -d":" -f1 | sort | uniq -c | sort -nr
      1 61.153.159.62
      1 61.142.208.237
      1 60.23.50.66
      1 59.53.154.243
      1 59.49.78.88
      1 59.172.98.96
      1 49.113.251.232
      1 222.88.93.117
      1 222.81.42.45
      1 222.243.108.48
      1 222.217.151.62
      1 222.168.46.170
      1 221.202.243.3
      1 220.178.57.138
      1 220.167.214.131
      1 219.149.44.238
      1 218.76.174.55
      1 218.201.103.154
      1 183.66.192.134
      1 183.12.151.142
      1 182.150.60.249
      1 182.130.135.94
      1 180.124.215.152
      1 180.106.12.79
      1 14.112.145.154
      1 125.93.78.229
      1 125.71.143.97
      1 124.88.97.167
      1 123.93.149.49
      1 123.182.197.10
      1 122.232.32.70
      1 122.158.172.250
      1 121.205.185.245
      1 121.12.249.153
      1 120.69.190.0
      1 120.40.206.149
      1 119.86.125.227
      1 117.69.52.151
      1 116.30.246.155
      1 114.238.51.228
      1 113.87.63.95
      1 113.81.27.186
      1 113.78.11.49
      1 113.218.87.33
      1 113.139.82.37
      1 111.72.145.83
      1 111.113.136.41
      1 110.189.88.115
      1 110.152.41.87
However, the odd things are:

  • All the connections show "root"; and
  • CSF/LFD or CPHulk did not report any failed login attempts.

I opened a ticket with cPanel, and they told me that the connections show "root" because the users have not even logged in yet. And there are no CSF/LFD/BFD reports because the attackers apparently didn't even try to log in.

So I don't know what they are trying to do, or what they are gaining by taking up all slots without actually trying to log in (if that is indeed what is happening).

Even days later, we can't turn on FTP without this happening again.

Any ideas?

Thanks,

Mark
 
  • Like
Reactions: Abdulla Ibne Jafar and Metro2
M

markb14391

Well-Known Member
Jun 9, 2008
305
2
68
Hi Infopro,

Can you post that ticket number please?
Click to expand...
1895390

Do you allow anonymous FTP?
Click to expand...
No.

What are your settings here:
WHM > Service Configuration > FTP Server Configuration
Click to expand...
No settings now as we still have FTP disabled. But the last settings were:

TLS Encryption Support: Required (Command/Data)
TLS Cipher Suite: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Allow Anonymous Logins: No
Allow Anonymous Uploads: No
Maximum Idle Time (minutes): 1 (was originally set higher, but I tried lower setting to mitigate this)
Maximum Connections: 50 (have tried various settings, but the slots always fill up immediately)
Maximum Connections Per IP Address: 1 (was set at the default...forget what that was...but I lowered it in response to this)
Allow Logins with Root Password: No
Broken Clients Compatibility: No

All other settings were always at those values (e.g., we never allowed anonymous FTP).

BTW, if I try to activate FTP now, I get an error message...although it does seem to start, as evidenced by the return of the "421 50 users (the maximum) are already logged in, sorry" message.

Thanks,

Mark
 
Last edited:
I

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Have you considered changing FTP ports to troubleshoot this? There are multiple threads on this topic around the forums like this one. I'd be interested to see if this what was referred to in your ticket as possibly a mild attack moves with that port change.

For example you change ports, contact your customers and explain whats going on and the attacks continue, is this some sort of malware on one of your legit users computers?

I'm just guessing of course. As with suggesting tighter settings in CSF to provide more feedback with this.


I suggest you hire an expert if needed to help take a much closer look at this:
Security « Application Catalog
 
M

markb14391

Well-Known Member
Jun 9, 2008
305
2
68
Have you considered changing FTP ports to troubleshoot this?
Click to expand...
We may do this. Since few clients use FTP, it wouldn't be the end of the world. However, my hunch is that, if these hackers have effective port scanners, they'll find the new port in just a moment.

For example you change ports, contact your customers and explain whats going on and the attacks continue, is this some sort of malware on one of your legit users computers?
Click to expand...
An interesting idea, though I have no idea how this could be diagnosed.

I'm just guessing of course. As with suggesting tighter settings in CSF to provide more feedback with this.
Click to expand...
Can you suggest tighter CSF settings that might help? I couldn't find anything that looked like it might help.

Most importantly, I can't figure out what the attackers could gain from this...just tying up connections but (apparently) not trying to log in?

Thanks,

Mark
 
I

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
markb14391 said:
We may do this. Since few clients use FTP, it wouldn't be the end of the world. However, my hunch is that, if these hackers have effective port scanners, they'll find the new port in just a moment.
Click to expand...
CSF has port scan tracking settings to slow them down.

markb14391 said:
An interesting idea, though I have no idea how this could be diagnosed.
Click to expand...
As suggested change the port and close the old one. I have no idea if that will be helpful, just thinking out loud really.

markb14391 said:
Can you suggest tighter CSF settings that might help? I couldn't find anything that looked like it might help.
Click to expand...
I suggest you contact someone on the list at the link above. ConfigServer is listed there and does have multiple cPanel service packages offered on his site.

markb14391 said:
Most importantly, I can't figure out what the attackers could gain from this...just tying up connections but (apparently) not trying to log in?

Thanks,

Mark
Click to expand...
We can guess at the motives all day, but we'd only be guessing.

markb14391 said:
Also, any idea about the FTP error message?
Click to expand...
Take your pick:

Error 421 Service not available, closing control connection.
Error 421 User limit reached
Error 421 You are not authorized to make the connection
Error 421 Max connections reached
Error 421 Max connections exceeded
 
M

Metro2

Well-Known Member
May 24, 2006
585
98
178
USA
cPanel Access Level
Root Administrator
Hi Mark,

Did you ever find a solution to this "421 50 users (the maximum) are already logged in, sorry" problem?

This just started happening on all of my servers on July 11th after a cPanel update, but after opening a ticket with cPanel they said it appears to be a problem with CSF settings despite that I haven't changed any CSF settings and it's happening on servers that I've had for years and never encountered this problem with.

We confirmed that it was not my actual users (since at any given time there would be no more than 10 users using FTP on any of my servers) but rather, the server hanging on to failed FTP attempts from random bogus login attempts from around the world.

So I contacted ConfigServer about it and they say they've never seen this phenomena occur in relation to CSF at all.

I'm rather stuck as it's happening over 20 times a day on all servers and interrupting the few valid user FTP sessions, so in desperation for a solution I'm replying to this 4 year old thread that seems to have never had a final solution.

Thanks for any replies and input!
 
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
This generally has to do with times of heavy brute force attacks, all the attackers guessing passwords will eat up your available connections for your clients. Botnets have been working hard this week, I've seen a serious increase of traffic for both FTP and wordpress brute forcing. This isn't a CSF issue, just a setting of the FTP server of how many connections to allow. To fix it, In WHM just go to
Home » Service Configuration » FTP Server Configuration

and raise the Maximum Connections setting. You may consider tightening up the number of failed attempts before an IP is blocked as well in the CSF conf.
 
Last edited by a moderator:
  • Like
Reactions: garconcn and Metro2
M

Metro2

Well-Known Member
May 24, 2006
585
98
178
USA
cPanel Access Level
Root Administrator
quizknows, I truly appreciate your reply!

I really had / have my doubts that this is a CSF issue at all.

Thank you for your recommendations. I can certainly raise the max FTP connections from 50 to something higher in WHM, despite it being set to 50 in all the years I've had my servers. Makes me a little nervous to raise it because I wonder how it will affect resources, but I'll bump it to 100 to see if that helps.

Also, I currently have the following relevant settings in my CSF:

[*]Enable login failure detection of ftp connections
LF_FTPD = 10
LF_FTPD_PERM = 1

Distributed Account Attack.
LF_DISTATTACK = 1

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK = 2

Distributed FTP Logins.
LF_DISTFTP = 5

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = 3

If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds:
LF_DISTFTP_PERM = 1

Been set like that for years.
Do you think my settings are good or do you think any of the above need to be adjusted?

Thanks very much for your reply and input!
 
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Everything looks good, but I would probably lower LF_FTPD to 5 (from 10) until these attacks slow down a bit.

As long as you have a decent server, you should not notice much issue allowing more connections. It's just going to be rejecting passwords, which is not really resource intensive.
 
  • Like
Reactions: Metro2
M

Metro2

Well-Known Member
May 24, 2006
585
98
178
USA
cPanel Access Level
Root Administrator
Thanks again!

Raised max connections to 100 , lowered LF_FTPD to 5

Will report back results in 24 hours in case this info is of any help to anyone else.
 
M

Metro2

Well-Known Member
May 24, 2006
585
98
178
USA
cPanel Access Level
Root Administrator
Just for the sake of anyone else who might be running into this issue or following this thread for an outcome, I have an update regarding the setting changes that quizknows suggested as well as an update from cPanel as to why they believe that this issue is at least related to CSF in some way.

So far, since I raised the max FTP connections to 100 and lowered LF_FTPD to 5 and also lowered LF_PERMBLOCK_COUNT down to 3 (so that 3 temp blocks in 24 hours will perm block an IP) I have seen a significant reduction in these brief ftpd interruptions.

I think quizknows is spot-on in regard to it being a recent increase in botnet activity, because after thoroughly examining everything I'm seeing that:

A.) The instances of "distributed ftpd attack" alerts from CSF for July are literally 20 times higher than they were in June and

B.) The majority of the distributed ftpd attacks are coming from Russia and Ukraine IP's

So while I don't want to go as far as blocking entire countries, what I have been doing to further combat the problem is studying the most common IP ranges and then adding them to the CSF Deny list by range, for example xxx.xxx.xxx.xxx/22

Now in regard to the CSF part...

Since I've had my doubts about CSF being the actual culprit and ConfigServer Support reports to me that they haven't received any other reports of this phenomena (and considering the large number of hosts running CSF out there) they say that if anything it is more likely an iptables issue since CSF is mainly just a way to configure iptables. I don't modify CSF to far from it's defaults, so it could be tricky for me to track down an odd setting if it's a setting at all. CS did suggest perhaps disabling connection tracking. (Which the latter makes sense to mesince connection tracking needs to hang onto info for the purpose of tracking, so I'll probably try that out in the coming days).

Also since I had my doubts about it being a CSF issue, I asked the cPanel tech who was handling my ticket if he wouldn't mind explaining how & why he determined the problem to be related to CSF, and here's what he very kindly provided me with:

I was able to recreate this issue and determine CSF the likely cause by comparing the behavior of FTP with CSF on and off within a similar timeframe. To do this, you can turn CSF off:
csf -x

Then kill any lingering FTP processes:
ps aux|grep ftp|awk '{print "kill "$2}'|sh

Restart it:
/etc/init.d/pure-ftpd start

Then watch the FTP status:
watch /etc/init.d/pure-ftpd status

Once you've determined the behavior is not presenting itself, you can enable CSF, kill and restart FTP, then review the connections once more by simply doing the above steps. With CSF enabled the connections to not appear to close properly, whereas with CSF disabled the connections are closing properly.
Click to expand...
So in the end I'm still doing a bit of chasing my tail and trying to take all of this information in and process it, do comparisons etc... , but adjusting some settings as described further above has definitely made a positive difference. So at least now I can confirm that in my case the problem is a recent large spike in distributed ftpd attacks from Russia / Ukraine IP's and that settings can be made to help aid in quelling the issue.

I hope this info can help someone else someday.
 
  • Like
Reactions: garconcn and quizknows
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Metro2 said:
So far, since I raised the max FTP connections to 100 and lowered LF_FTPD to 5 and also lowered LF_PERMBLOCK_COUNT down to 3 (so that 3 temp blocks in 24 hours will perm block an IP) I have seen a significant reduction in these brief ftpd interruptions.
Click to expand...
Hello :)

Thank you for taking the time to report your results back to this thread. We appreciate the feedback.
 
  • Like
Reactions: Metro2
M

Metro2

Well-Known Member
May 24, 2006
585
98
178
USA
cPanel Access Level
Root Administrator
You're welcome cPanelMichael. Sometimes there's nothing more frustrating than finding an existing thread about a problem you're having only to find that nobody followed up with solutions, so I always try to update with whatever info I can pass along to the next person.
 
  • Like
Reactions: Infopro
M

Metro2

Well-Known Member
May 24, 2006
585
98
178
USA
cPanel Access Level
Root Administrator
Well after they decided to ramp up the attacks, and I've decided that the benefits of using CSF far outweigh any negatives, and after getting sick of my phone ringing all Sunday morning I've made a decision:

CC_DENY = RU,KZ,UA

Sad that it has to be that way these days.
 
hostingmundial

hostingmundial

Registered
Mar 9, 2006
4
1
153
We have the same problem and We're not sure if it's related to cPanel but we also updated to 11.50.0 (build 27) a few days ago, and It's the first time we have ever experienced this kind of attack (at least in this particular way and magnitude).

CSF Blocked lot of IP's from Russia, Ukraine and Kazakhstan among other few countries.

We have also chose this temporary decision: CC_DENY = RU,KZ,UA
 
S

steadramon

Registered
May 14, 2014
1
1
3
cPanel Access Level
Root Administrator
Metro2 said:
Now in regard to the CSF part...

Since I've had my doubts about CSF being the actual culprit and ConfigServer Support reports to me that they haven't received any other reports of this phenomena (and considering the large number of hosts running CSF out there) they say that if anything it is more likely an iptables issue since CSF is mainly just a way to configure iptables. I don't modify CSF to far from it's defaults, so it could be tricky for me to track down an odd setting if it's a setting at all. CS did suggest perhaps disabling connection tracking. (Which the latter makes sense to mesince connection tracking needs to hang onto info for the purpose of tracking, so I'll probably try that out in the coming days).

Also since I had my doubts about it being a CSF issue, I asked the cPanel tech who was handling my ticket if he wouldn't mind explaining how & why he determined the problem to be related to CSF, and here's what he very kindly provided me with:
Click to expand...
We've experienced this recently too, here's my take on the situation:
  • Remote IP tries bad username/password combo against pure-ftpd
  • CSF/LFD detects this and blocks said IP address in the server firewall
  • pure-ftpd has to wait for 15 minutes (default) for an idle timeout
Code: 
[email protected] [~]# grep Idle /etc/pure-ftpd.conf
MaxIdleTime 15
None of our pure-ftpd processes are around for more than 15 minutes, but this blocking done by CSF causes all traffic to/from the remote IP to be blocked, therefore the timeout has to kick in before getting rid of this connection.

As a measure we have increased the max concurrent FTP connections and lowered the MaxIdleTime for pure-ftpd
 
  • Like
Reactions: Metro2
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
hostingmundial said:
We're not sure if it's related to cPanel but we also updated to 11.50.0 (build 27) a few days ago
Click to expand...
To clarify, this isn't an issue with the cPanel/WHM software itself, but rather it's likely stemming from a recent increase in botnet activity.

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
J Strange programs running server Security 2
R Security advisor strange results Security 20
R Strange Virus in Cpanel Security 6
B Strange status in Apache status Security 5
M Strange SFTP problem with one account Security 1
Similar threads
Strange programs running server
Security advisor strange results
Strange Virus in Cpanel
Strange status in Apache status
Strange SFTP problem with one account
Top Bottom