proFTP not blocking

Post Reply
dvk01
Junior Member
Posts: 80
Joined: 20 Feb 2010, 18:10

proFTP not blocking

Post by dvk01 »

I am getting attacks via FTP but CFS doesn't seem to be blocking them or adding them to firewall block and I have to do it manually, when I see the hourly reports

they only seem to try 1 account at a time and ONLY 1 attempt at that account , but the same IP number tries numerous different accounts. I can't see any way in CFS settings to block IPs that attempt to log in to different accounts, only settings for how many times the same account is attempted
/var/log/secure:
Mar 13 08:53:15 knight proftpd[18062]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:25 knight proftpd[18091]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER couk: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:34 knight proftpd[18150]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co111: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:37 knight proftpd[18170]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co123: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:40 knight proftpd[18203]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co123456: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:40 knight proftpd[18206]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co2010: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:43 knight proftpd[18228]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co2011: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Mar 13 08:53:44 knight proftpd[18231]: 198.1.75.187 (199.114.243.224[199.114.243.224]) - USER co2012: no such user found from 199.114.243.224 [199.114.243.224] to ::ffff:198.1.75.187:21
Top
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: proFTP not blocking

Post by ForumAdmin »

The proftpd regex in lfd catches those lines, so it would suggest that you have not configured FTPD_LOG correctly in csf.conf and then restarted lfd.
Top
dvk01
Junior Member
Posts: 80
Joined: 20 Feb 2010, 18:10

Re: proFTP not blocking

Post by dvk01 »

thanks
I have changed the log location to /var/log/secure instead of /var/log/messages and lets see if that does it

it has always been set to messages and that has informed me of any FTP log ins whether legitimate or a problem. I suppose it is due to my recent server move or the update to CP 36.x that has caused the problem

I will see how it goes
Thanks
Top
Post Reply

Return to “General Discussion (csf)”