Solved

VSFTP log file and blocking ip's of failed log in attempts

Posted on 2007-04-02
10
994 Views
Last Modified: 2013-12-15
in my log file i have the below entries:

Apr  1 12:00:02 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:02 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:05 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:05 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:08 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:08 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:11 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:11 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:14 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:14 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:16 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:16 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3

i have entries like this where the same ip will sit there and pound on my server for 4-8 hrs, not getting in from what i see on the log, but then the next night it will start again.

so here is what i want to do:

1-how do i run a job that will look at the log every 2 minutes and check ip's and if it encounters the same ip more that 5 times copy the ip over to the  etc/host.deny file

what i am trying to do there is block the ip

2-clear the etc/host.deny file of all the blocked ip's every 15 minutes

what i am trying to do there is clear up any blocked ips until they are caught by the above action.

what i am using is vsftp on a FC4 machine.

or is there a better way to do this? another program that automates it for me?
0
Comment
Question by:knightdogs
  • 5
  • 5
10 Comments
 
LVL 24

Expert Comment

by:slyong
ID: 18840133
iptable can be used to detect such attacks.  You can get a reference here: http://blog.andrew.net.au/2005/02/16

Just need to change the --dport 22 to --dport 21 (for ftp).
0
 

Author Comment

by:knightdogs
ID: 18842858
slyong,
I looked at that site, are you suggesting to add the following to the iptables?

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

0
 
LVL 24

Expert Comment

by:slyong
ID: 18846232
Hi,

Use port 21 instead of port 22 and FTP instead of SSH as follows:

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:knightdogs
ID: 18847952
slyong
i entered in the first line and when i entered in the second line i got this error.:

[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name ftp
[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -j ftp_whitelist
iptables v1.3.0: Couldn't load target `ftp_whitelist':/lib/iptables/libipt_ftp_whitelist.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

where do i need to create the ftp_whitelist file at?  and what exactly do i need to name it?

K
0
 
LVL 24

Expert Comment

by:slyong
ID: 18848246
Sorry didn't make it clear this part.  If you wish to use the whitelist, you need to have this:

iptables -N FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP

I would suggest you to use the upper case as the example above to avoid confusion.
0
 

Author Comment

by:knightdogs
ID: 18854018
slyong,
I have entered it in just as you have typed and just restarted the sysetm.  how will i know if the rules are there and working?  iptables -L and look for them?  also where will the FTP_WHITELIST file be located at?
also any suggestions on how to test it other than just messing up a few log-ins to see if it locks me out?

I would also guess that in my log files if this is working i should see a great decrease in the failed attempts correct?

please forgive the newb questions and thank you for your time and effort on this.  i respect your knowledge and effort it has taken to get you to this point and for you to help me.

K
0
 
LVL 24

Expert Comment

by:slyong
ID: 18854901
Hi K,

Sorry that I didn't explain in detail.  Let me do that now:

1) What you have mentioned about the attack is call brute force attack.  There are a few ways to "try" to counter that:
    (a) Change the ftp port to something else rather then port 21.  This works for 90% of the time because most brute force attack (90% of them) are launched from automated script that just scan for ftp services (which is on port 21).
    (b) Using iptables like what we are doing now.

2) iptables itself is whole world of knowledge by itself.  I would suggest you to read up on iptables if you can.  For what we are doing, I will explain it here:
    (a) Actually what we really needed for this to work is just 2 lines:
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP

          The first line tells iptables to keep a record if there is a new connection to port 21 with the name FTP.  This name is used later on on the second lines.  The second line states that if there are 4 continuous attempt to connect to port 21 within the time frame of 60 seconds, stop the access from the ip.
    (b) The rest of the lines:
          iptables -N FTP_WHITELIST  **create a FTP_WHITELIST (this is not from a file), it works like a internal storage.
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST  **this line make sure that the ip in the FTP_WHITELIST is not blocked
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force  **this creates a log entry (normally in /var/log/message depending on your syslog.conf), so that you know someone is blocked.  Take note that I change this like a bit by using LOG and --log-prefix instead of ULOG and --ulog-prefix.  ULOG is a user space log, ulogd which has to be installed separately.  LOG is just using the standard syslog that comes with most Linux distribution (including FC4).

3) Now to the iptables, you need to save the rules before you reboot your machine.  This can be done either by issueing the command:
    # service iptables save
to save whatever you have typed into the command line.

4) The FTP_WHITELIST is not a file, it works like a internal storage so if you want to add some ip to the FTP_WHITELIST, you have to use the command:
    iptables -A SFTP_WHITELIST -s 123.123.123.123 -m recent --remove --name FTP -j ACCEPT
where 123.123.123.123 is the machine that you want to include to the FTP_WHITELIST (and remember to save the rules).

So, to do everything, you will have something like this:

iptables -N FTP_WHITELIST
iptables -A FTP_WHITELIST -s 123.123.123.111 -m recent --remove --name FTP -j ACCEPT
iptables -A FTP_WHITELIST -s 123.123.123.222 -m recent --remove --name FTP -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP

Then to ensure that it works, look into your /var/log/message for the message starting with FTP_brute_force as well as you ftp log to see if those ips are blocked out.

Regards,
slyong
0
 

Author Comment

by:knightdogs
ID: 18855292
slyong,
i had added the previous entries before your last post.  i had saved the entries and restarted the machine.  here is what my iptables -L shows:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
           tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW recent: SET name: FTP side: source
FTP_WHITELIST  tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW
ULOG       tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source ULOG copy_range 0 nlgroup 1 prefix `FTP_brute_force' queue_threshold 1
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source


i went in and tried to FTP in 8 times and it let me with wrong user and pass, so i guess i messed up something.

i looked into my loggs and saw where i had tried to log in. and failed.  can you point out where i messed up?


K
0
 
LVL 24

Accepted Solution

by:
slyong earned 500 total points
ID: 18855955
Hi K,

You can look into your /etc/sysconfig/iptables and look for the corresponding entries to remove those by hand, restart iptables.  Then put in the iptables command again.  That is easier to troubleshoot.

Regards,
Linus
0
 

Author Comment

by:knightdogs
ID: 18877799
slyong,
i have done what you said 2 times and it is still not working. here is what my log is showing:

Apr  8 23:45:41 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:41 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:44 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:44 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:47 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:47 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:49 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:49 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:52 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:52 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:55 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:55 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:57 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:57 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:46:00 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:46:00 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98

is there somewhere i can check to make sure it is logging and counting the log in attempts?



Dennis
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question