CSF/LFD not picking up this attack

zmippie · 2025-10-14T09:43:05-0600

ProFTPD on our server was under attack last week, filling up gigabytes of logfiles (/var/log/secure, /var/log/proftpd/sftp.log and /var/log/proftpd/auth.log). What confuses me, is why CSF/LFD is not picking up these attacks, they were from the same IP address and logged to /var/log/secure. In CSF/LFD we have FTPD_LOG = /var/log/secure configured, and many attacks on ProFTPD are successfully blocked. But this one seems to be different.

The rate of the attack is tremendous, making ProFTPD log 64 lines per second (hence the huge logfiles). The attack is done on all three IP addresses of the server, and is pretty ridiculous, trying loads of different usernames over and over again. FYI, ProFTPD is configured to only accept passwordless authentication over SSH, so these attempts are futile. Still, the log files grow immensely and have to be cleaned up manually. I'm not sure log rotation will process them correctly.

Why isn't CSF/LFD picking this up? Can it pick up attacks at this rate?

Here's one second of attack attempts (obfuscated our IP addresses and non-standard port number):

Code:

Oct 14 04:15:25 server proftpd[2046]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2046]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused

Richard G · 2025-10-14T09:55:57-0600

I presume you have LF_DISTATTACK=1 and LF_DISTFTP and LF_DISTFTP_UNIQ to quite low numbers?
And also the RESTRICT_SYSLOG = "3"?

zmippie · 2025-10-14T10:03:35-0600

Richard G said:
I presume you have LF_DISTATTACK=1 and LF_DISTFTP and LF_DISTFTP_UNIQ to quite low numbers?
And also the RESTRICT_SYSLOG = "3"?

LF_DISTATTACK is off, and LF_DISTATTACK_UNIQ is set to 2. LF_DISTFTP is set to 0, but I suppose if LF_DISTATTACK is off, the two other options are ignored. Just to be sure: why would you flag this as a "distributed attack"? It's an attrack from one and the same IP address, targeted at three of our IP addresses.

PS. I found this on the particular attacker address.

Ohm J · 2025-10-14T10:10:45-0600

CSF already can't detect Proftpd Bruteforce anymore, since the past, you need to fixed by yourself.

Directadmin BFM should take care by automatics every scan ( times ), default is 100 count before blocked.

zmippie · 2025-10-14T10:18:28-0600

Ohm J said:
CSF already can't detect Proftpd Bruteforce anymore, since the past, you need to fixed by yourself.

Directadmin BFM should take care by automatics every scan ( times ), default is 100 count before blocked.

Okay, thanks. Point is, /usr/local/directadmin/data/admin/brute_log_entries.list is also huge when these attacks take place. BFM doesn't seem to kick in for this particular attack. Let me post part of this not very human readable log:

Code:

17595454500717=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500718=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500719=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500720=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500721=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500722=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500723=attempts=%36&filter=proftpd%33&ip=%31%38%35%2E%39%31%2E
17595454500724=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500725=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500726=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500727=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500728=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500729=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500730=attempts=%36&filter=proftpd%33&ip=%31%38%35%2E%39%31%2E
17595454500731=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500732=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500733=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500734=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500735=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E

Richard G · 2025-10-14T12:20:40-0600

Ohm J said:
CSF already can't detect Proftpd Bruteforce anymore, since the past,

Do you know since when? Because it has been working several years ago (2020 anyway) when the log was pointing to /var/log/secure which is the case here.

Richard G · 2025-10-14T12:25:53-0600

zmippie said:
why would you flag this as a "distributed attack"

Yep, my mistake, only 1 ip indeed. But you have these already set to some values I guess.
LF_FTPD =
LF_FTPD_PERM =

I'm also curious as to why CSF would not block these attacks on a proftpd server.

CSF/LFD not picking up this attack

zmippie

Verified User

Richard G

Verified User

zmippie

Verified User

Ohm J

Verified User

zmippie

Verified User

Richard G

Verified User

Richard G

Verified User