The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange FTP Attack

Discussion in 'Security' started by markb14391, Sep 26, 2011.

  1. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Hi,

    I'm wondering if anyone has experienced (and successfully thwarted) an attack like we're seeing.

    Clients are unable to login to FTP: "421 50 users (the maximum) are already logged in, sorry". However, this box has far more FTP slots than clients, so I know this isn't just a case of all slots being full from legitimate use.

    So I check the active FTP connections:

    Code:
    ps aux | grep ftp
    root     25877  0.0  0.0   6424  1564 ?        Ss   20:08   0:00 pure-ftpd (SERVER)                                                                                                                                                                                                                                                    
    root     25879  0.0  0.0   6152  1228 ?        S    20:08   0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth
    root     26313  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26314  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26315  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26316  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26319  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26320  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26321  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26322  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26323  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26324  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26335  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26336  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26337  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26338  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26343  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26344  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26345  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26346  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26347  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26348  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26349  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26350  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26351  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26352  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26353  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26354  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26360  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26361  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26366  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26367  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26368  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26369  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26370  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26371  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26372  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26373  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26375  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26376  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26377  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26378  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26379  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26380  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26381  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26382  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26383  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26384  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26385  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26386  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26390  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26391  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26394  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26395  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26441  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26442  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26456  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26457  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26462  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26463  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26477  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26478  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26493  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26494  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26511  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26512  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26521  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26522  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     26532  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     26533  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     27694  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     27695  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     27699  0.0  0.0   6428   824 ?        S    20:09   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     27701  0.0  0.0   6428   624 ?        S    20:09   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     27988  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     27989  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     28243  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     28244  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     28270  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     28271  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     28294  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     28295  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     28297  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     28298  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     28299  0.0  0.0   6428   824 ?        S    20:10   0:00 pure-ftpd (IDLE)                                                                                                                                                                                                                                                      
    root     28300  0.0  0.0   6428   624 ?        S    20:10   0:00 pure-ftpd (PRIV)                                                                                                                                                                                                                                                      
    root     28302  0.0  0.0   3100   764 pts/0    S+   20:10   0:00 grep ftp
    And the connections are from a variety of IP addresses, all of which seem to be from Asia:

    Code:
    netstat -tpn | grep pure-ftpd | awk '{print $5}' | cut -d":" -f1 | sort | uniq -c | sort -nr
          1 61.153.159.62
          1 61.142.208.237
          1 60.23.50.66
          1 59.53.154.243
          1 59.49.78.88
          1 59.172.98.96
          1 49.113.251.232
          1 222.88.93.117
          1 222.81.42.45
          1 222.243.108.48
          1 222.217.151.62
          1 222.168.46.170
          1 221.202.243.3
          1 220.178.57.138
          1 220.167.214.131
          1 219.149.44.238
          1 218.76.174.55
          1 218.201.103.154
          1 183.66.192.134
          1 183.12.151.142
          1 182.150.60.249
          1 182.130.135.94
          1 180.124.215.152
          1 180.106.12.79
          1 14.112.145.154
          1 125.93.78.229
          1 125.71.143.97
          1 124.88.97.167
          1 123.93.149.49
          1 123.182.197.10
          1 122.232.32.70
          1 122.158.172.250
          1 121.205.185.245
          1 121.12.249.153
          1 120.69.190.0
          1 120.40.206.149
          1 119.86.125.227
          1 117.69.52.151
          1 116.30.246.155
          1 114.238.51.228
          1 113.87.63.95
          1 113.81.27.186
          1 113.78.11.49
          1 113.218.87.33
          1 113.139.82.37
          1 111.72.145.83
          1 111.113.136.41
          1 110.189.88.115
          1 110.152.41.87
    However, the odd things are:

    • All the connections show "root"; and
    • CSF/LFD or CPHulk did not report any failed login attempts.

    I opened a ticket with cPanel, and they told me that the connections show "root" because the users have not even logged in yet. And there are no CSF/LFD/BFD reports because the attackers apparently didn't even try to log in.

    So I don't know what they are trying to do, or what they are gaining by taking up all slots without actually trying to log in (if that is indeed what is happening).

    Even days later, we can't turn on FTP without this happening again.

    Any ideas?

    Thanks,

    Mark
     
    Abdulla Ibne Jafar and Metro2 like this.
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,469
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Can you post that ticket number please?

    Do you allow anonymous FTP?

    What are your settings here:
    WHM > Service Configuration > FTP Server Configuration
     
  3. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Hi Infopro,

    1895390

    No.

    No settings now as we still have FTP disabled. But the last settings were:

    TLS Encryption Support: Required (Command/Data)
    TLS Cipher Suite: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    Allow Anonymous Logins: No
    Allow Anonymous Uploads: No
    Maximum Idle Time (minutes): 1 (was originally set higher, but I tried lower setting to mitigate this)
    Maximum Connections: 50 (have tried various settings, but the slots always fill up immediately)
    Maximum Connections Per IP Address: 1 (was set at the default...forget what that was...but I lowered it in response to this)
    Allow Logins with Root Password: No
    Broken Clients Compatibility: No

    All other settings were always at those values (e.g., we never allowed anonymous FTP).

    BTW, if I try to activate FTP now, I get an error message...although it does seem to start, as evidenced by the return of the "421 50 users (the maximum) are already logged in, sorry" message.

    Thanks,

    Mark
     
    #3 markb14391, Sep 26, 2011
    Last edited: Sep 26, 2011
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,469
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you considered changing FTP ports to troubleshoot this? There are multiple threads on this topic around the forums like this one. I'd be interested to see if this what was referred to in your ticket as possibly a mild attack moves with that port change.

    For example you change ports, contact your customers and explain whats going on and the attacks continue, is this some sort of malware on one of your legit users computers?

    I'm just guessing of course. As with suggesting tighter settings in CSF to provide more feedback with this.


    I suggest you hire an expert if needed to help take a much closer look at this:
    Security « Application Catalog
     
  5. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    We may do this. Since few clients use FTP, it wouldn't be the end of the world. However, my hunch is that, if these hackers have effective port scanners, they'll find the new port in just a moment.

    An interesting idea, though I have no idea how this could be diagnosed.

    Can you suggest tighter CSF settings that might help? I couldn't find anything that looked like it might help.

    Most importantly, I can't figure out what the attackers could gain from this...just tying up connections but (apparently) not trying to log in?

    Thanks,

    Mark
     
  6. markb14391

    markb14391 Well-Known Member

    Joined:
    Jun 9, 2008
    Messages:
    305
    Likes Received:
    2
    Trophy Points:
    18
    Also, any idea about the FTP error message?

     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,469
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    CSF has port scan tracking settings to slow them down.

    As suggested change the port and close the old one. I have no idea if that will be helpful, just thinking out loud really.

    I suggest you contact someone on the list at the link above. ConfigServer is listed there and does have multiple cPanel service packages offered on his site.

    We can guess at the motives all day, but we'd only be guessing.

    Take your pick:

    Error 421 Service not available, closing control connection.
    Error 421 User limit reached
    Error 421 You are not authorized to make the connection
    Error 421 Max connections reached
    Error 421 Max connections exceeded
     
  8. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Hi Mark,

    Did you ever find a solution to this "421 50 users (the maximum) are already logged in, sorry" problem?

    This just started happening on all of my servers on July 11th after a cPanel update, but after opening a ticket with cPanel they said it appears to be a problem with CSF settings despite that I haven't changed any CSF settings and it's happening on servers that I've had for years and never encountered this problem with.

    We confirmed that it was not my actual users (since at any given time there would be no more than 10 users using FTP on any of my servers) but rather, the server hanging on to failed FTP attempts from random bogus login attempts from around the world.

    So I contacted ConfigServer about it and they say they've never seen this phenomena occur in relation to CSF at all.

    I'm rather stuck as it's happening over 20 times a day on all servers and interrupting the few valid user FTP sessions, so in desperation for a solution I'm replying to this 4 year old thread that seems to have never had a final solution.

    Thanks for any replies and input!
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This generally has to do with times of heavy brute force attacks, all the attackers guessing passwords will eat up your available connections for your clients. Botnets have been working hard this week, I've seen a serious increase of traffic for both FTP and wordpress brute forcing. This isn't a CSF issue, just a setting of the FTP server of how many connections to allow. To fix it, In WHM just go to
    Home » Service Configuration » FTP Server Configuration

    and raise the Maximum Connections setting. You may consider tightening up the number of failed attempts before an IP is blocked as well in the CSF conf.
     
    #9 quizknows, Jul 17, 2015
    Last edited by a moderator: Jul 17, 2015
    garconcn and Metro2 like this.
  10. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    quizknows, I truly appreciate your reply!

    I really had / have my doubts that this is a CSF issue at all.

    Thank you for your recommendations. I can certainly raise the max FTP connections from 50 to something higher in WHM, despite it being set to 50 in all the years I've had my servers. Makes me a little nervous to raise it because I wonder how it will affect resources, but I'll bump it to 100 to see if that helps.

    Also, I currently have the following relevant settings in my CSF:

    [*]Enable login failure detection of ftp connections
    LF_FTPD = 10
    LF_FTPD_PERM = 1

    Distributed Account Attack.
    LF_DISTATTACK = 1

    Set the following to the minimum number of unique IP addresses that trigger
    LF_DISTATTACK = 2

    Distributed FTP Logins.
    LF_DISTFTP = 5

    Set the following to the minimum number of unique IP addresses that trigger
    LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
    LF_DISTFTP_UNIQ = 3

    If this option is set to 1 the blocks will be permanent
    If this option is > 1, the blocks will be temporary for the specified number
    of seconds:
    LF_DISTFTP_PERM = 1

    Been set like that for years.
    Do you think my settings are good or do you think any of the above need to be adjusted?

    Thanks very much for your reply and input!
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Everything looks good, but I would probably lower LF_FTPD to 5 (from 10) until these attacks slow down a bit.

    As long as you have a decent server, you should not notice much issue allowing more connections. It's just going to be rejecting passwords, which is not really resource intensive.
     
    Metro2 likes this.
  12. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks again!

    Raised max connections to 100 , lowered LF_FTPD to 5

    Will report back results in 24 hours in case this info is of any help to anyone else.
     
  13. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Just for the sake of anyone else who might be running into this issue or following this thread for an outcome, I have an update regarding the setting changes that quizknows suggested as well as an update from cPanel as to why they believe that this issue is at least related to CSF in some way.

    So far, since I raised the max FTP connections to 100 and lowered LF_FTPD to 5 and also lowered LF_PERMBLOCK_COUNT down to 3 (so that 3 temp blocks in 24 hours will perm block an IP) I have seen a significant reduction in these brief ftpd interruptions.

    I think quizknows is spot-on in regard to it being a recent increase in botnet activity, because after thoroughly examining everything I'm seeing that:

    A.) The instances of "distributed ftpd attack" alerts from CSF for July are literally 20 times higher than they were in June and

    B.) The majority of the distributed ftpd attacks are coming from Russia and Ukraine IP's

    So while I don't want to go as far as blocking entire countries, what I have been doing to further combat the problem is studying the most common IP ranges and then adding them to the CSF Deny list by range, for example xxx.xxx.xxx.xxx/22

    Now in regard to the CSF part...

    Since I've had my doubts about CSF being the actual culprit and ConfigServer Support reports to me that they haven't received any other reports of this phenomena (and considering the large number of hosts running CSF out there) they say that if anything it is more likely an iptables issue since CSF is mainly just a way to configure iptables. I don't modify CSF to far from it's defaults, so it could be tricky for me to track down an odd setting if it's a setting at all. CS did suggest perhaps disabling connection tracking. (Which the latter makes sense to mesince connection tracking needs to hang onto info for the purpose of tracking, so I'll probably try that out in the coming days).

    Also since I had my doubts about it being a CSF issue, I asked the cPanel tech who was handling my ticket if he wouldn't mind explaining how & why he determined the problem to be related to CSF, and here's what he very kindly provided me with:

    So in the end I'm still doing a bit of chasing my tail and trying to take all of this information in and process it, do comparisons etc... , but adjusting some settings as described further above has definitely made a positive difference. So at least now I can confirm that in my case the problem is a recent large spike in distributed ftpd attacks from Russia / Ukraine IP's and that settings can be made to help aid in quelling the issue.

    I hope this info can help someone else someday.
     
    garconcn and quizknows like this.
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thank you for taking the time to report your results back to this thread. We appreciate the feedback.
     
    Metro2 likes this.
  15. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    You're welcome cPanelMichael. Sometimes there's nothing more frustrating than finding an existing thread about a problem you're having only to find that nobody followed up with solutions, so I always try to update with whatever info I can pass along to the next person.
     
    Infopro likes this.
  16. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Well after they decided to ramp up the attacks, and I've decided that the benefits of using CSF far outweigh any negatives, and after getting sick of my phone ringing all Sunday morning I've made a decision:

    CC_DENY = RU,KZ,UA

    Sad that it has to be that way these days.
     
  17. hostingmundial

    hostingmundial Registered

    Joined:
    Mar 9, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    We have the same problem and We're not sure if it's related to cPanel but we also updated to 11.50.0 (build 27) a few days ago, and It's the first time we have ever experienced this kind of attack (at least in this particular way and magnitude).

    CSF Blocked lot of IP's from Russia, Ukraine and Kazakhstan among other few countries.

    We have also chose this temporary decision: CC_DENY = RU,KZ,UA
     
  18. steadramon

    steadramon Registered

    Joined:
    May 14, 2014
    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We've experienced this recently too, here's my take on the situation:
    • Remote IP tries bad username/password combo against pure-ftpd
    • CSF/LFD detects this and blocks said IP address in the server firewall
    • pure-ftpd has to wait for 15 minutes (default) for an idle timeout
    Code:
    root@cpanel [~]# grep Idle /etc/pure-ftpd.conf
    MaxIdleTime 15
    
    None of our pure-ftpd processes are around for more than 15 minutes, but this blocking done by CSF causes all traffic to/from the remote IP to be blocked, therefore the timeout has to kick in before getting rid of this connection.

    As a measure we have increased the max concurrent FTP connections and lowered the MaxIdleTime for pure-ftpd
     
    Metro2 likes this.
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To clarify, this isn't an issue with the cPanel/WHM software itself, but rather it's likely stemming from a recent increase in botnet activity.

    Thank you.
     
Loading...

Share This Page