LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-17-2009, 04:18 AM   #1
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 266

Rep: Reputation: 19
Unhappy vsftpd brutte force attack - how to resolve IP ?


Hi all,

today morning I found in my "secure" log thousand entries like this one:

Quote:
Feb 16 16:20:01 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:01 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Using brutte force somebody trying to hack my vsftpd access.

If I have entry like this how can I block user which trying to hack my FTP server ?

Where can I find an IP address of the attacker ?
 
Old 02-17-2009, 04:23 AM   #2
routers
Member
 
Registered: Aug 2005
Location: Malaysia - KULMY / CNXTH
Distribution: Slackware, Fedora, FreeBSD, Sun O/S 5.10, CentOS
Posts: 787
Blog Entries: 6

Rep: Reputation: 75
check other log file secure,messages
ifPOSIBLE change your vsftpd port and informed your customer about port changes
 
Old 02-17-2009, 04:49 AM   #3
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 266

Original Poster
Rep: Reputation: 19
Quote:
Originally Posted by routers View Post
check other log file secure,messages
ifPOSIBLE change your vsftpd port and informed your customer about port changes
port change is impossible - productive restrictions

how can I find and block IP of that hacker ?
 
Old 02-17-2009, 05:03 AM   #4
routers
Member
 
Registered: Aug 2005
Location: Malaysia - KULMY / CNXTH
Distribution: Slackware, Fedora, FreeBSD, Sun O/S 5.10, CentOS
Posts: 787
Blog Entries: 6

Rep: Reputation: 75
normaly is here
Code:
[root@estin201 ~]# tail /var/log/secure
Feb 17 19:05:41 estin201 sshd[1098]: reverse mapping checking getaddrinfo for 132.115.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 17 19:05:45 estin201 sshd[1098]: Accepted password for root from 115.132.84.249 port 32975 ssh2
Feb 17 19:05:45 estin201 sshd[1098]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 17 19:07:33 estin201 sshd[1132]: reverse mapping checking getaddrinfo for 132.115.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 17 19:07:34 estin201 sshd[1132]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.132.84.249  user=root
Feb 17 19:07:36 estin201 sshd[1132]: Failed password for root from 115.132.84.249 port 35263 ssh2
[root@estin201 ~]#

Last edited by routers; 02-17-2009 at 05:05 AM. Reason: confuse :)
 
Old 02-17-2009, 05:12 AM   #5
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 266

Original Poster
Rep: Reputation: 19
today looks like this...


Quote:
Feb 16 16:20:01 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:01 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:04 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:04 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:04 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:08 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:08 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:08 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:12 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:12 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:12 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:16 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:16 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:16 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:19 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:19 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:19 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:23 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:23 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:23 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:26 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:26 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:26 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:30 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
 
Old 02-17-2009, 05:18 AM   #6
routers
Member
 
Registered: Aug 2005
Location: Malaysia - KULMY / CNXTH
Distribution: Slackware, Fedora, FreeBSD, Sun O/S 5.10, CentOS
Posts: 787
Blog Entries: 6

Rep: Reputation: 75
whose dom+ip is this ?

[root@noc ~]# nslookup dtw.directtechweb.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: dtw.directtechweb.com
Address: 74.52.88.194
 
Old 02-17-2009, 05:29 AM   #7
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 266

Original Poster
Rep: Reputation: 19
Quote:
Originally Posted by routers View Post
whose dom+ip is this ?

[root@noc ~]# nslookup dtw.directtechweb.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: dtw.directtechweb.com
Address: 74.52.88.194
I made it but it still trying to hack this poor machine .

/etc/host.deny

/firewall drop everything from that IP

ehhh...


I think I will write email with first warning to the owner of that domain.

Last edited by dlugasx; 02-17-2009 at 05:31 AM.
 
Old 02-17-2009, 05:35 AM   #8
routers
Member
 
Registered: Aug 2005
Location: Malaysia - KULMY / CNXTH
Distribution: Slackware, Fedora, FreeBSD, Sun O/S 5.10, CentOS
Posts: 787
Blog Entries: 6

Rep: Reputation: 75
dont forget to cc to upline

abuse@theplanet.com

the ip range is owned by them
 
Old 02-17-2009, 05:38 AM   #9
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Quote:
Where can I find an IP address of the attacker
Code:
repo@cannabis:~$ dig dtw.directtechweb.com

; <<>> DiG 9.5.1-P1 <<>> dtw.directtechweb.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33462
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;dtw.directtechweb.com.		IN	A

;; ANSWER SECTION:
dtw.directtechweb.com.	14400	IN	A	74.52.88.194

;; AUTHORITY SECTION:
dtw.directtechweb.com.	86400	IN	NS	ns1.directtechweb.com.
dtw.directtechweb.com.	86400	IN	NS	ns2.directtechweb.com.

;; ADDITIONAL SECTION:
ns1.directtechweb.com.	14400	IN	A	74.52.88.194
ns2.directtechweb.com.	14400	IN	A	74.52.88.195

;; Query time: 157 msec
;; SERVER: 212.71.8.10#53(212.71.8.10)
;; WHEN: Tue Feb 17 12:35:54 2009
;; MSG SIZE  rcvd: 123

repo@cannabis:~$
Code:
repo@cannabis:~$ whois 74.52.88.194| grep abuse
OrgAbuseEmail:  abuse@theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
repo@cannabis:~$
Also, you could install fail2ban, which will block the ip after x attempts, or use iptables
 
Old 02-17-2009, 06:17 AM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681
I think that /etc/hosts.deny is used for xinetd services. If that how you have vsftp configured? If it isn't look at pam controls.

Check your /etc/pam.d/vsftp configuration. Add "Administrator" to /etc/ftpusers if it is used to deny access.

If you see "sense=deny file=/etc/ftpusers" then adding Administrator" to /etc/ftpusers will deny that username, which I assume you aren't using.

I think you could add a line to /etc/pam.d/vsftpd to deny hosts the way that /etc/ftpusers denies users.
Code:
auth     required       pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth     required       pam_listfile.so item=host sense=deny file=/etc/ftphosts onerr=succeed
Put the hostname, ip address or both in /etc/ftphosts (I made up the filename).

Try adding a local host and see if anyone from that host is denied access.

Does your server use anonymous access. If not, then you can use /etc/security/access.conf as well. (AFAIK from reading /etc/pam/vsftpd)

---
Another quick way of finding an IP address is
getent hosts <hostname>
Code:
getent hosts dtw.directtechweb.com
74.52.88.194    dtw.directtechweb.com
Information on the provider:
http://whois.domaintools.com/74.52.88.194

Looking at the site itself, it looks like a new install. They may have been hacked themselves.

Last edited by jschiwal; 02-17-2009 at 06:30 AM.
 
Old 02-17-2009, 06:46 AM   #11
routers
Member
 
Registered: Aug 2005
Location: Malaysia - KULMY / CNXTH
Distribution: Slackware, Fedora, FreeBSD, Sun O/S 5.10, CentOS
Posts: 787
Blog Entries: 6

Rep: Reputation: 75
@jschiwal
as CentOS system vsftpd installed and run
i didnt find 2 file you mentioned
1)/etc/pam.d/vsftp
2)/etc/ftpusers

are we need to manual create it, pls advices, good for all

thanks
 
Old 02-17-2009, 07:13 AM   #12
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681
Do you have the /etc/pam.d/vsftp file?
If you do, the second line I listed I created. Look at the manpage for pam_listfile. The item can be a hostname. So you can create a new file and use it as a host black list. (the /etc/hostname)

If you don't have an /etc/ftpusers file, your ftp service may not be configured. If it is used as a user blacklist, it should contain at least system users.

---

Look at "sudo /sbin/chkconfig vsftp". Does it say "on" or "xinetd"?

On Fedora and openSUSE, there is a /etc/pam.d/vsftp file that is used to control access and handle authentication for the vsftp service.

You may have it configured to be controlled by xinetd. If that is the case, then vsftp spawns a new service per request. The /etc/hosts.allow and /etc/hosts.deny controls should work.

Look for the /etc/xinet.d/vsftpd file. It tends to be used more for resource control. It defers access control to the vsftpd.conf file.

---
If your system uses pam, you can also add an entry in /etc/security/access.conf to control login access.

# Deny login access for anyone from 74.52.88.194
-:ALL:74.52.88.194

---

You can also add an iptables rule to drop the ip address in the firewall as well. This will protect all ports. Especially if you have a dedicated firewall which would drop the traffic before reaching your FTP server.
 
Old 02-17-2009, 09:21 PM   #13
CaptainInsane
Member
 
Registered: Nov 2003
Location: Peoria
Distribution: Fedora 8
Posts: 92

Rep: Reputation: 15
Use iptables AND fail2ban.

Here are some rules for vsftpd I use in my fail2ban jail.conf file:

Code:
# ban on DOS/flood attacks

[vsftpd-iptables-dos]

enabled  = true
filter   = vsftpd_dos
action   = iptables[name=VSFTPD_DOS, port=ftp, protocol=tcp]
	hostsdeny
logpath  = /var/log/vsftpd.log
maxretry = 3
findtime = 15
bantime  = 2400

# ban on 530 Login incorrect

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
	hostsdeny
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 60

# ban on 530 Permission denied

[vsftpd-iptables-deny]

enabled  = true
filter   = vsftpd_deny
action   = iptables[name=VSFTPD_DENY, port=ftp, protocol=tcp]
	hostsdeny
logpath  = /var/log/vsftpd.log
maxretry = 2
bantime  = 2400
Pretty much a waste of time to try and track the attackers.
Most of them will be in china, north korea or some eastern european
country....

Since I installed fail2ban, my log files have decreased in size 90%.
 
Old 02-18-2009, 01:56 AM   #14
CaptainInsane
Member
 
Registered: Nov 2003
Location: Peoria
Distribution: Fedora 8
Posts: 92

Rep: Reputation: 15
Whoops.

Suppose that would be more useful if the info needed in the
fail2ban/filter.d folder were included...

Include the following lines in files vsftpd.conf, vsftpd_dos.conf
and vsftpd_deny.conf

Code:
failregex = .*Client "<HOST>",."530 Login incorrect."$

failregex = .*Client "<HOST>",."530 .*$

failregex = .*Client "<HOST>",."530 Permission denied."$
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
POP3 brute force attack help glyn3332 Linux - Security 2 10-13-2008 05:12 AM
brute-force-ssh-attack saavik Linux - Security 6 09-05-2008 01:01 AM
Protect server from brute force attack via ssh babysparrow Linux - Security 6 03-31-2006 09:00 PM
Brute-force attack - How can I assess the damage? thew00t Linux - Security 4 09-27-2005 06:08 PM
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 05:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration