Solved

VSFTP log file and blocking ip's of failed log in attempts

Posted on 2007-04-02
10
984 Views
Last Modified: 2013-12-15
in my log file i have the below entries:

Apr  1 12:00:02 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:02 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:05 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:05 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:08 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:08 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:11 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:11 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:14 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:14 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr  1 12:00:16 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr  1 12:00:16 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3

i have entries like this where the same ip will sit there and pound on my server for 4-8 hrs, not getting in from what i see on the log, but then the next night it will start again.

so here is what i want to do:

1-how do i run a job that will look at the log every 2 minutes and check ip's and if it encounters the same ip more that 5 times copy the ip over to the  etc/host.deny file

what i am trying to do there is block the ip

2-clear the etc/host.deny file of all the blocked ip's every 15 minutes

what i am trying to do there is clear up any blocked ips until they are caught by the above action.

what i am using is vsftp on a FC4 machine.

or is there a better way to do this? another program that automates it for me?
0
Comment
Question by:knightdogs
  • 5
  • 5
10 Comments
 
LVL 24

Expert Comment

by:slyong
ID: 18840133
iptable can be used to detect such attacks.  You can get a reference here: http://blog.andrew.net.au/2005/02/16

Just need to change the --dport 22 to --dport 21 (for ftp).
0
 

Author Comment

by:knightdogs
ID: 18842858
slyong,
I looked at that site, are you suggesting to add the following to the iptables?

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

0
 
LVL 24

Expert Comment

by:slyong
ID: 18846232
Hi,

Use port 21 instead of port 22 and FTP instead of SSH as follows:

iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
0
 

Author Comment

by:knightdogs
ID: 18847952
slyong
i entered in the first line and when i entered in the second line i got this error.:

[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name ftp
[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -j ftp_whitelist
iptables v1.3.0: Couldn't load target `ftp_whitelist':/lib/iptables/libipt_ftp_whitelist.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

where do i need to create the ftp_whitelist file at?  and what exactly do i need to name it?

K
0
 
LVL 24

Expert Comment

by:slyong
ID: 18848246
Sorry didn't make it clear this part.  If you wish to use the whitelist, you need to have this:

iptables -N FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP

I would suggest you to use the upper case as the example above to avoid confusion.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:knightdogs
ID: 18854018
slyong,
I have entered it in just as you have typed and just restarted the sysetm.  how will i know if the rules are there and working?  iptables -L and look for them?  also where will the FTP_WHITELIST file be located at?
also any suggestions on how to test it other than just messing up a few log-ins to see if it locks me out?

I would also guess that in my log files if this is working i should see a great decrease in the failed attempts correct?

please forgive the newb questions and thank you for your time and effort on this.  i respect your knowledge and effort it has taken to get you to this point and for you to help me.

K
0
 
LVL 24

Expert Comment

by:slyong
ID: 18854901
Hi K,

Sorry that I didn't explain in detail.  Let me do that now:

1) What you have mentioned about the attack is call brute force attack.  There are a few ways to "try" to counter that:
    (a) Change the ftp port to something else rather then port 21.  This works for 90% of the time because most brute force attack (90% of them) are launched from automated script that just scan for ftp services (which is on port 21).
    (b) Using iptables like what we are doing now.

2) iptables itself is whole world of knowledge by itself.  I would suggest you to read up on iptables if you can.  For what we are doing, I will explain it here:
    (a) Actually what we really needed for this to work is just 2 lines:
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP

          The first line tells iptables to keep a record if there is a new connection to port 21 with the name FTP.  This name is used later on on the second lines.  The second line states that if there are 4 continuous attempt to connect to port 21 within the time frame of 60 seconds, stop the access from the ip.
    (b) The rest of the lines:
          iptables -N FTP_WHITELIST  **create a FTP_WHITELIST (this is not from a file), it works like a internal storage.
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST  **this line make sure that the ip in the FTP_WHITELIST is not blocked
          iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force  **this creates a log entry (normally in /var/log/message depending on your syslog.conf), so that you know someone is blocked.  Take note that I change this like a bit by using LOG and --log-prefix instead of ULOG and --ulog-prefix.  ULOG is a user space log, ulogd which has to be installed separately.  LOG is just using the standard syslog that comes with most Linux distribution (including FC4).

3) Now to the iptables, you need to save the rules before you reboot your machine.  This can be done either by issueing the command:
    # service iptables save
to save whatever you have typed into the command line.

4) The FTP_WHITELIST is not a file, it works like a internal storage so if you want to add some ip to the FTP_WHITELIST, you have to use the command:
    iptables -A SFTP_WHITELIST -s 123.123.123.123 -m recent --remove --name FTP -j ACCEPT
where 123.123.123.123 is the machine that you want to include to the FTP_WHITELIST (and remember to save the rules).

So, to do everything, you will have something like this:

iptables -N FTP_WHITELIST
iptables -A FTP_WHITELIST -s 123.123.123.111 -m recent --remove --name FTP -j ACCEPT
iptables -A FTP_WHITELIST -s 123.123.123.222 -m recent --remove --name FTP -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP

Then to ensure that it works, look into your /var/log/message for the message starting with FTP_brute_force as well as you ftp log to see if those ips are blocked out.

Regards,
slyong
0
 

Author Comment

by:knightdogs
ID: 18855292
slyong,
i had added the previous entries before your last post.  i had saved the entries and restarted the machine.  here is what my iptables -L shows:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
           tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW recent: SET name: FTP side: source
FTP_WHITELIST  tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW
ULOG       tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source ULOG copy_range 0 nlgroup 1 prefix `FTP_brute_force' queue_threshold 1
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source


i went in and tried to FTP in 8 times and it let me with wrong user and pass, so i guess i messed up something.

i looked into my loggs and saw where i had tried to log in. and failed.  can you point out where i messed up?


K
0
 
LVL 24

Accepted Solution

by:
slyong earned 500 total points
ID: 18855955
Hi K,

You can look into your /etc/sysconfig/iptables and look for the corresponding entries to remove those by hand, restart iptables.  Then put in the iptables command again.  That is easier to troubleshoot.

Regards,
Linus
0
 

Author Comment

by:knightdogs
ID: 18877799
slyong,
i have done what you said 2 times and it is still not working. here is what my log is showing:

Apr  8 23:45:41 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:41 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:44 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:44 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:47 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:47 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:49 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:49 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:52 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:52 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:55 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:55 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:45:57 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:45:57 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr  8 23:46:00 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr  8 23:46:00 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98

is there somewhere i can check to make sure it is logging and counting the log in attempts?



Dennis
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now