Xinetd Proftpd unauthorized ftp connection

[sugeng]

Hi

Greetings to all linux and plesk masters.
i need your help as i find suspicious activity several times. when i check syslog, i find that unauthorized ftp access occurs. this is what syslog says

xinetd[746]: START: ftp pid=10220 from=::ffff:116.11.190.176
Nov 30 08:47:30  proftpd[10220]: processing configuration directory '/etc/proftpd.d'
Nov 30 08:47:30  proftpd[10220]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session opened.
Nov 30 08:47:31  proftpd[10220]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session closed.
Nov 30 08:47:31  xinetd[746]: EXIT: ftp status=0 pid=10220 duration=1(sec)
Nov 30 08:47:31  xinetd[746]: START: ftp pid=10221 from=::ffff:116.11.190.176
Nov 30 08:47:31  proftpd[10221]: processing configuration directory '/etc/proftpd.d'
Nov 30 08:47:31  proftpd[10221]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session opened.
Nov 30 08:47:36  proftpd[10221]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session closed.
Nov 30 08:47:36  xinetd[746]: EXIT: ftp status=0 pid=10221 duration=5(sec)
Nov 30 08:47:36  xinetd[746]: START: ftp pid=10225 from=::ffff:116.11.190.176
Nov 30 08:47:36  proftpd[10225]: processing configuration directory '/etc/proftpd.d'
Nov 30 08:47:36  proftpd[10225]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session opened.
Nov 30 08:47:40  proftpd[10225]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session closed.
Nov 30 08:47:40  xinetd[746]: EXIT: ftp status=0 pid=10225 duration=4(sec)
Nov 30 08:47:41  xinetd[746]: START: ftp pid=10228 from=::ffff:116.11.190.176
Nov 30 08:47:41  proftpd[10228]: processing configuration directory '/etc/proftpd.d'
Nov 30 08:47:41  proftpd[10228]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session opened.
Nov 30 08:47:44  proftpd[10228]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session closed.
Nov 30 08:47:44  xinetd[746]: EXIT: ftp status=0 pid=10228 duration=3(sec)
Nov 30 08:47:44  xinetd[746]: START: ftp pid=10230 from=::ffff:116.11.190.176
Nov 30 08:47:44 7 proftpd[10230]: processing configuration directory '/etc/proftpd.d'
Nov 30 08:47:44  proftpd[10230]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session opened.
Nov 30 08:52:44  proftpd[10230]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - Login timeout exceeded, disconnected
Nov 30 08:52:44 proftpd[10230]: 127.0.0.1 (116.11.190.176[116.11.190.176]) - FTP session closed.
Nov 30 08:52:44  xinetd[746]: EXIT: ftp status=0 pid=10230 duration=300(sec)

i've seen this activity several times. last time, i got a lot of virus, spam bot or whatever that consumes server resources massively. also, sending soooo many spam within hours.

Please help me to solve this condition masters......

 

[abdi]

Is 116.11.190.176 your server's IP address?

 

[sugeng]

Hi Abdi

116.11.190.176 is not my server Ip address. thats why i very concerned. the sonnection came from many IPs, 116.11.190.176 is only one of them.

Btw, Thank you very much for your very fast response Abdi

 

[abdi]

Sugeng,

You are definitely under a brute force attack ....

****I would recommend installing a serious firewall script such as ConfigServer...

About Spam, I always recommend disabling the default PHP mail function and telling your customers to SMTP with there website forms..

 

[sugeng]

Hi Abdi

That what im affraid of. by the way, can you share me what are the possible solution besides ConfigServer? i am using fail2ban, and clamav right now. also what product of configserver suits my condition?

thank you Abdi

 

[abdi]

what product of configserver suits my condition

http://www.configserver.com/cp/csf.html

 

[trialotto]

Hi Abdi

That what im affraid of. by the way, can you share me what are the possible solution besides ConfigServer? i am using fail2ban, and clamav right now. also what product of configserver suits my condition?

thank you Abdi

@sugeng,

First of all, start blocking all FTP ports, in order to prevent brute forcing (in your case a distributed attack)

- gaining access,
- imposing resource overloads,

and be aware of the fact that you are very likely to be attacked at every other service (so: checks mail logs, access logs etc.).

Second, it is more important to investigate whether they have been succesfull: check xfer logs (transfer logs) and scan for the relevant IPs (116.11.190.176 and all others).

If the attackers have been succesful, immediately change ALL passwords! And also change the passwords to a more strong version.

Third, you stated that you are using fail2ban: this would be fine for many purposes, but if the configuration is not proper, then fail2ban has no added value at all.

Reconfigure fail2ban: make the jail time longer and the number of attempts lower (1, when under attack and 2 or 3, if the attack is more or less over).

Fourth, use your firewall: close all ports that you are not using regularly, such as the plesk web-based installer, and only traffic from your own IP for specific ports, such as SSH.


In short, a lot of work still ahead.

However, the above being the bad news, it is now time for some good news.

It is very unlikely that the attackers have gained access: the ftp related output indicates that they are trying, not actually having access.

But that often is a matter of time, so assign a high priority to harden the security of your server(s): follow some of steps mentioned above.

Regards.....

 

[trialotto]

@sugeng,

That what im affraid of. by the way, can you share me what are the possible solution besides ConfigServer?

I wanted to add that you asked the right question.

ConfigServer is not the solution to your problem.

In fact, Plesk has many "security components" that can be used together and, when used in perfect combination, they are more than able to secure your server.

But "more than able" often is "not good enough": you can use all kinds of approaches, but always start with a firewall (for example, Plesk firewall) in combination with Fail2Ban.

Then you have to add some "elements of security", with those "elements" depending on the goal.

For instance, FTP servers can be shielded by simply enforcing SSL/TLS and using passive ports. Some of the automated hack scripts do not bother with SSL/TLS based FTP servers.

Another example, for mail servers: you simply have to use all kinds of spam filtering (virus scanning, spam filters, DNSBL blacklists, greylisting, DMARC records, Domainkeys).

A final example, for more advanced use: put everything behind Nginx and disallow (by default) traffic from specific countries, that are well-known for malicious traffic.

But again, it has to be stated: start with a firewall first (i.e. only allow traffic that you trust, disallow everything else) and use Fail2Ban (good as it is, out-of-the box. And it can even be configured to make use of specific lists of blacklisted IPs, but that is another topic).

Regards.......

 

[sugeng]

@trialotto

thank you very much for your superb explaination.... i tried all of your suggestion ever since. so far so good

regards

 

[trialotto]

@sugeng,

Well, I am a little bit suprised to see you response on this relatively old topic thread, but: no thanks, glad to be of any assistance, your response is much appreciated!

Regards....