vsftpd brutte force attack

dlugasx · 02-17-2009, 05:18 AM

Hi all,

today morning I found in my "secure" log thousand entries like this one:

Quote:

Feb 16 16:20:01 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:01 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator

Using brutte force somebody trying to hack my vsftpd access.

If I have entry like this how can I block user which trying to hack my FTP server ?

Where can I find an IP address of the attacker ?

routers · 02-17-2009, 05:23 AM

check other log file secure,messages
ifPOSIBLE change your vsftpd port and informed your customer about port changes

dlugasx · 02-17-2009, 05:49 AM

Quote:

Originally Posted by routers

check other log file secure,messages
ifPOSIBLE change your vsftpd port and informed your customer about port changes

port change is impossible - productive restrictions

how can I find and block IP of that hacker ?

routers · 02-17-2009, 06:03 AM

normaly is here

Code:

[root@estin201 ~]# tail /var/log/secure
Feb 17 19:05:41 estin201 sshd[1098]: reverse mapping checking getaddrinfo for 132.115.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 17 19:05:45 estin201 sshd[1098]: Accepted password for root from 115.132.84.249 port 32975 ssh2
Feb 17 19:05:45 estin201 sshd[1098]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 17 19:07:33 estin201 sshd[1132]: reverse mapping checking getaddrinfo for 132.115.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 17 19:07:34 estin201 sshd[1132]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.132.84.249  user=root
Feb 17 19:07:36 estin201 sshd[1132]: Failed password for root from 115.132.84.249 port 35263 ssh2
[root@estin201 ~]#

dlugasx · 02-17-2009, 06:12 AM

today looks like this...

Quote:

Feb 16 16:20:01 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:01 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:04 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:04 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:04 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:08 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:08 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:08 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:12 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:12 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:12 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:16 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:16 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:16 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:19 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:19 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:19 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:23 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:23 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:23 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:26 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Feb 16 16:20:26 a1 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=dtw.directtechweb.com
Feb 16 16:20:26 a1 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Feb 16 16:20:30 a1 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown

routers · 02-17-2009, 06:18 AM

whose dom+ip is this ?

[root@noc ~]# nslookup dtw.directtechweb.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: dtw.directtechweb.com
Address: 74.52.88.194

dlugasx · 02-17-2009, 06:29 AM

Quote:

Originally Posted by routers

whose dom+ip is this ?

[root@noc ~]# nslookup dtw.directtechweb.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: dtw.directtechweb.com
Address: 74.52.88.194

I made it but it still trying to hack this poor machine .

/etc/host.deny

/firewall drop everything from that IP

ehhh...

I think I will write email with first warning to the owner of that domain.

routers · 02-17-2009, 06:35 AM

dont forget to cc to upline

abuse@theplanet.com

the ip range is owned by them

repo · 02-17-2009, 06:38 AM

Quote:

Where can I find an IP address of the attacker

Code:

repo@cannabis:~$ dig dtw.directtechweb.com

; <<>> DiG 9.5.1-P1 <<>> dtw.directtechweb.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33462
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;dtw.directtechweb.com.		IN	A

;; ANSWER SECTION:
dtw.directtechweb.com.	14400	IN	A	74.52.88.194

;; AUTHORITY SECTION:
dtw.directtechweb.com.	86400	IN	NS	ns1.directtechweb.com.
dtw.directtechweb.com.	86400	IN	NS	ns2.directtechweb.com.

;; ADDITIONAL SECTION:
ns1.directtechweb.com.	14400	IN	A	74.52.88.194
ns2.directtechweb.com.	14400	IN	A	74.52.88.195

;; Query time: 157 msec
;; SERVER: 212.71.8.10#53(212.71.8.10)
;; WHEN: Tue Feb 17 12:35:54 2009
;; MSG SIZE  rcvd: 123

repo@cannabis:~$

Code:

repo@cannabis:~$ whois 74.52.88.194| grep abuse
OrgAbuseEmail:  abuse@theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
repo@cannabis:~$

Also, you could install fail2ban, which will block the ip after x attempts, or use iptables

jschiwal · 02-17-2009, 07:17 AM

I think that /etc/hosts.deny is used for xinetd services. If that how you have vsftp configured? If it isn't look at pam controls.

Check your /etc/pam.d/vsftp configuration. Add "Administrator" to /etc/ftpusers if it is used to deny access.

If you see "sense=deny file=/etc/ftpusers" then adding Administrator" to /etc/ftpusers will deny that username, which I assume you aren't using.

I think you could add a line to /etc/pam.d/vsftpd to deny hosts the way that /etc/ftpusers denies users.

Code:

auth     required       pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth     required       pam_listfile.so item=host sense=deny file=/etc/ftphosts onerr=succeed

Put the hostname, ip address or both in /etc/ftphosts (I made up the filename).

Try adding a local host and see if anyone from that host is denied access.

Does your server use anonymous access. If not, then you can use /etc/security/access.conf as well. (AFAIK from reading /etc/pam/vsftpd)

---
Another quick way of finding an IP address is
getent hosts <hostname>

Code:

getent hosts dtw.directtechweb.com
74.52.88.194    dtw.directtechweb.com

Information on the provider:
http://whois.domaintools.com/74.52.88.194

Looking at the site itself, it looks like a new install. They may have been hacked themselves.

routers · 02-17-2009, 07:46 AM

@jschiwal
as CentOS system vsftpd installed and run
i didnt find 2 file you mentioned
1)/etc/pam.d/vsftp
2)/etc/ftpusers

are we need to manual create it, pls advices, good for all

thanks

jschiwal · 02-17-2009, 08:13 AM

Do you have the /etc/pam.d/vsftp file?
If you do, the second line I listed I created. Look at the manpage for pam_listfile. The item can be a hostname. So you can create a new file and use it as a host black list. (the /etc/hostname)

If you don't have an /etc/ftpusers file, your ftp service may not be configured. If it is used as a user blacklist, it should contain at least system users.

---

Look at "sudo /sbin/chkconfig vsftp". Does it say "on" or "xinetd"?

On Fedora and openSUSE, there is a /etc/pam.d/vsftp file that is used to control access and handle authentication for the vsftp service.

You may have it configured to be controlled by xinetd. If that is the case, then vsftp spawns a new service per request. The /etc/hosts.allow and /etc/hosts.deny controls should work.

Look for the /etc/xinet.d/vsftpd file. It tends to be used more for resource control. It defers access control to the vsftpd.conf file.

---
If your system uses pam, you can also add an entry in /etc/security/access.conf to control login access.

# Deny login access for anyone from 74.52.88.194
-:ALL:74.52.88.194

---

You can also add an iptables rule to drop the ip address in the firewall as well. This will protect all ports. Especially if you have a dedicated firewall which would drop the traffic before reaching your FTP server.

CaptainInsane · 02-17-2009, 10:21 PM

Use iptables AND fail2ban.

Here are some rules for vsftpd I use in my fail2ban jail.conf file:

Code:

# ban on DOS/flood attacks

[vsftpd-iptables-dos]

enabled  = true
filter   = vsftpd_dos
action   = iptables[name=VSFTPD_DOS, port=ftp, protocol=tcp]
	hostsdeny
logpath  = /var/log/vsftpd.log
maxretry = 3
findtime = 15
bantime  = 2400

# ban on 530 Login incorrect

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
	hostsdeny
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 60

# ban on 530 Permission denied

[vsftpd-iptables-deny]

enabled  = true
filter   = vsftpd_deny
action   = iptables[name=VSFTPD_DENY, port=ftp, protocol=tcp]
	hostsdeny
logpath  = /var/log/vsftpd.log
maxretry = 2
bantime  = 2400

Pretty much a waste of time to try and track the attackers.
Most of them will be in china, north korea or some eastern european
country....

Since I installed fail2ban, my log files have decreased in size 90%.

CaptainInsane · 02-18-2009, 02:56 AM

Whoops.

Suppose that would be more useful if the info needed in the
fail2ban/filter.d folder were included...

Include the following lines in files vsftpd.conf, vsftpd_dos.conf
and vsftpd_deny.conf

Code:

failregex = .*Client "<HOST>",."530 Login incorrect."$

failregex = .*Client "<HOST>",."530 .*$

failregex = .*Client "<HOST>",."530 Permission denied."$