CSF is not blockiing certain attacks -- Any suggestions?

J

jim.thornton

Verified User
Joined
Jan 1, 2008
Messages
334
I've installed CSF & LFD and I really like it compared to the old APF & BFD setup I had on my other vps. That said, I'm noticing there are some attacks which DA is warning me of but CSF is not picking up on. Here is one:

It is the pure-ftpd1 filter in DA that is catching the attack, but CSF is missing it.

I've noticed the pattern is a brute force attack using a suspected username for 14 times, then switch usernames. This happened for 50 attempts. You would think that with 50 attempts that it must have been blocked by CSF/LFD but the IP has not been added to the IP list for some reason.

How can I ensure that CSF will pick this up?
 
Hello,

Why do you ask it here? We do not write CSF/LFD, so if you think it's a CSF/LFD issue, then you should refer your question to its author.

By the way does pure-ftpd write logs? As far as I know it does not. And CSF/LFD is log based when saying about bruteforce attacks.
 
I asked the question here because I've posted on the CSF forums before and never got an answer. I figured there were enough people here that use it that someone might be able to help me.

Also... Does DirectAdmin not use logs to determine their brute-force attacks? If so, then can't I get CSF to use the same log file?
 
I was thinking of doing the BFM thing originally, but then I thought it might be easier to get CSF to just monitor for the pure-ftpd.

I've gone with your suggestion and am now using BFM.

Thanks!
 
Pure-FTPD -is- writing logs and you can use CSF on them.
However, I use a small workaround found on these forums to have CSF work better on intrusion detection for pure-ftpd.
It's an easy fix.
First change /etc/rsyslog.conf to this:
Code: 
*.info;mail.none;authpriv.none;cron.none;ftp.none;      /var/log/messages

# Pure FTPD
ftp.*                                                   /var/log/pureftpd-auth.log
As you can see the ftp.none is added. After that you make a seperate line for pureftpd.
Now pureftpd will create a /var/log/pureftpd.log file for DA's quota and logging stuff.
Next to that it will generate a /var/log/pureftpd-auth.log for authentication on which you can point csf.conf too.
If you want this saved a few days, make an entry for logrotate.

Just edit /etc/logrotate.d/syslog and add this line somewhere on top amongst the others:
Code: 
/var/log/pureftpd-auth.log

Remember to restart syslogd and logrotate after adding/editting these files.
CSF can do everything for you. Even block brute force attempts if you use the build in BFM from DA.
 
Last edited:
I ended up just configuring DA + BFM to trigger a CSF call and block the IP. But, it might be better to use CSF to block it and then BFM as a backup to find things that CSF misses.
 
You can use either way. I also use BFM (the build in from DA) to trigger a CSF call for bruteforces on the Directadmin panel login.
I just do it in a bit shorter way. Unblocking is done automatically and if somebody needs to be unblocked before, that has to be done manually via console.
 
I've just modified this line in csf.conf

CUSTOM1_LOG = "/var/log/pureftpd.log"


Question :
What is the difference between pure-ftpd / proftpd1 / proftpd2 in Brute Force Logs visible in directadmin ?
 
Last edited:
pure-ftpd login failures in /var/log/messages should be taken care of into the next release of CSF (LFD) :) Thank you for the report.
 
I've just modified this line in csf.conf
CUSTOM1_LOG = "/var/log/pureftpd.log"
Click to expand...
That won't help you. Because by default in that file only the transfers are logged, not the authentication. If you want that logged for security as you ask, you have to do something like I said or wait until the next release of pure-ftpd to use /var/log/messages.
 
You must log in or register to reply here.
Back
Top