brute force attack detected in service log on Users anonymous

T

tagteamcomputing

New member
Joined
Dec 2, 2023
Messages
2
I am getting several of these a day
A brute force attack has been detected in one of your service logs.

User anonymous has 272 failed login attempts: pure-ftpd1=272

Check 'Admin Level -> Brute Force Monitor' for more information

Securing DirectAdmin | Directadmin Docs

DirectAdmin Knowledge Base
help.directadmin.com

what is the best way to handle this. Should I just set a rule to delete the email when I get it or should I do something more to lock the server down? I have the security settings at:
Blacklist IP for excessive DA login attempts after 10 or 30 unauthorized connections
I have Parse service logs checked
I just changed Remove Ip from blacklist to 0 ( none of my users really login, just me)
 
Check if DA does block the attacker. If not you can adjust the settings in your CSF/LFD firewall to block FTP attacks.
Not really required to pay for an external tool for something CSF/LFD can do too.
 
Richard G said:
How do you limit that in CSF? Doesn't one need geopip or something for that?
Click to expand...
Yes, csf offers maxmind ("1") and DB-IP, ipdeny.com, iptoasn.com ("2"). We using Maxmind --> CC_SRC = 1
CC_ALLOW_PORTS = NL,DE (as example; here 2-letter-country-codes)
CC_ALLOW_PORTS_TCP = 20,21
CC_ALLOW_PORTS_UDP = 20,21
Ports 20 and 21 must be removed from TCP_IN/UDP_IN port lists.
 
@Richard G
How to block a Whole Country with MaxMind’s GeoIP Lite?
  1. First, we will sign up for a MaxMind account at this link. You are not required to make a purchase to sign up.

  2. Then, set the password and create a license key at this link.

  3. After that, set up the downloading mechanism via the GeoIP Update program available at this link. You can also opt to create a direct download script from this link.

  4. Next, we have to update /etc/csf/csf.conf with the new key as seen below# MaxMind License Key:
    MM_LICENSE_KEY = “addnewlicensekeyhere”

  5. Recommend: restart CSF after making the change with the following command
    Code: 
    csf -r
 
Seems so. In the registration info which they sended me, its still called Minfraud service, whatsoever.
Here is the overview page with the changes in Dec. 2019 from free, to need-to-register free:

Significant Changes to Accessing and Using GeoLite2 Databases

Reasons For Changes MaxMind has always been committed to an individual’s right to privacy on the internet. We welcome the burgeoning privacy regulations, such as GDPR and CCPA, for the benefit they can provide to internet citizens. However, these new legislative measures place restrictions that...
blog.maxmind.com
 
Ok, thanks Active 8 I have completed all the steps you mentioned. However, I am not sure what to do next.

I am sure it is this part but I want to make sure I am understanding it.

es, csf offers maxmind ("1") and DB-IP, ipdeny.com, iptoasn.com ("2"). We using Maxmind --> CC_SRC = 1
CC_ALLOW_PORTS = NL,DE (as example; here 2-letter-country-codes)
CC_ALLOW_PORTS_TCP = 20,21
CC_ALLOW_PORTS_UDP = 20,21
Ports 20 and 21 must be removed from TCP_IN/UDP_IN port lists.

I edit csf for those variables
CC_Allow_Ports is saying that you can only access the below ports from those two countries. (This would in essence block everything for all other countries and they would not even allow them to try to log in to FTP.
CC_ALLOW_PORTS_TCP is what ports you are trying to block. So if people trying to hit ftp block 21 if they were trying to hit say DA admin you could block 2222

Because I have installed the geoipupdate program I am able to use Country codes because the geoipupdate will constantly update with new ip blocks for those countries.

And by saying CC_ALLOW_PORTS, I am in essence already saying block all other locations, or do I need to set up a block everything somewhere and then this variable will allow certain countries?

Do I have it about right?

Thanks
 
tagteamcomputing said:
And by saying CC_ALLOW_PORTS, I am in essence already saying block all other locations,
Click to expand...
No by saying CC_ALLOW_PORTS you are in essence saying that the rules are only applying to ports 20 and 21 or any other ports in there.
And because you removed these ports from TCP_IN/UPD_IN you are in fact saying that you block access for all other locations not mentioned in the
CC_ALLOW_PORTS = setting.

If you want the same for port 2222 then you have to add that in there and remove it from TCP_IN/UDP_IN too.

Be aware this is strict FTP. It can cause issues in some cases when people need to use PASV FTP. If you encounter these issues, I would suggest to add the PASV PORTS, being 35000:35999 too and ofcourse remove them from TCP_IN/UDP_IN too to block all others.
 
tagteamcomputing said:
Because I have installed the geoipupdate program I am able to use Country codes because the geoipupdate will constantly update with new ip blocks for those countries.
Click to expand...
I thought CSF was doing that already? Because you can't point in CSF to the file CSF has to look at. Or am I mistaken?
Which file does that geoipupate program generate?
 
geoipupdate will not working with csf firewall. you need to manual add keys to csf firewall.
 
jamgames2 said:
you need to manual add keys to csf firewall.
Click to expand...
Yes the key is the license key which you need in CSF. But if I understood correctly the geoip updates are done automatically after that by CSF itself, no need to install the geopip update program, or am I wrong?
 
@Richard G
geoipupdate mostly use for other application like ... apache extension, to collect client data via PHP itself by "$_SERVER" variable.
 
You must log in or register to reply here.
Back
Top