CSF/LFD not picking up this attack

Z

zmippie

Verified User
Joined
Apr 19, 2015
Messages
162
ProFTPD on our server was under attack last week, filling up gigabytes of logfiles (/var/log/secure, /var/log/proftpd/sftp.log and /var/log/proftpd/auth.log). What confuses me, is why CSF/LFD is not picking up these attacks, they were from the same IP address and logged to /var/log/secure. In CSF/LFD we have FTPD_LOG = /var/log/secure configured, and many attacks on ProFTPD are successfully blocked. But this one seems to be different.

The rate of the attack is tremendous, making ProFTPD log 64 lines per second (hence the huge logfiles). The attack is done on all three IP addresses of the server, and is pretty ridiculous, trying loads of different usernames over and over again. FYI, ProFTPD is configured to only accept passwordless authentication over SSH, so these attempts are futile. Still, the log files grow immensely and have to be cleaned up manually. I'm not sure log rotation will process them correctly.

Why isn't CSF/LFD picking this up? Can it pick up attacks at this rate?

Here's one second of attack attempts (obfuscated our IP addresses and non-standard port number):

Code: 
Oct 14 04:15:25 server proftpd[2046]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2046]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2051]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2049]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2050]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2054]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2053]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2052]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2055]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.92.223.217:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.32.238.97:1234
Oct 14 04:15:25 server proftpd[2057]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - USER user: no such user found from 185.91.127.114 [185.91.127.114] to ::ffff:XXX.141.219.37:1234
Oct 14 04:15:25 server proftpd[2056]: 0.0.0.0 (185.91.127.114[185.91.127.114]) - Maximum login attempts (6) exceeded, connection refused
 
Richard G said:
I presume you have LF_DISTATTACK=1 and LF_DISTFTP and LF_DISTFTP_UNIQ to quite low numbers?
And also the RESTRICT_SYSLOG = "3"?
Click to expand...
LF_DISTATTACK is off, and LF_DISTATTACK_UNIQ is set to 2. LF_DISTFTP is set to 0, but I suppose if LF_DISTATTACK is off, the two other options are ignored. Just to be sure: why would you flag this as a "distributed attack"? It's an attrack from one and the same IP address, targeted at three of our IP addresses.

PS. I found this on the particular attacker address.
 
CSF already can't detect Proftpd Bruteforce anymore, since the past, you need to fixed by yourself.

Directadmin BFM should take care by automatics every scan ( times ), default is 100 count before blocked.
 
Ohm J said:
CSF already can't detect Proftpd Bruteforce anymore, since the past, you need to fixed by yourself.

Directadmin BFM should take care by automatics every scan ( times ), default is 100 count before blocked.
Click to expand...
Okay, thanks. Point is, /usr/local/directadmin/data/admin/brute_log_entries.list is also huge when these attacks take place. BFM doesn't seem to kick in for this particular attack. Let me post part of this not very human readable log:

Code: 
17595454500717=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500718=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500719=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500720=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500721=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500722=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500723=attempts=%36&filter=proftpd%33&ip=%31%38%35%2E%39%31%2E
17595454500724=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500725=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500726=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500727=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500728=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500729=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500730=attempts=%36&filter=proftpd%33&ip=%31%38%35%2E%39%31%2E
17595454500731=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500732=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500733=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500734=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
17595454500735=attempts=%31&filter=proftpd%31&ip=%31%38%35%2E%39%31%2E
 
@Richard G
Not sure when it stop working, since I'm using ProFTPd at my first time of DA server. And it can detect BFM normally for around 2-3 year.

After that... it's broken, since I'm full of workload, so I just switch to pureFTPd.
 
You must log in or register to reply here.
Back
Top