Blocked distributed ftpd attack emails and LFD going down

joaosavioli

• September 10, 2018 08:18

Hi, I'm having problem with a lot of "blocked distributed ftpd attack". When it happen, sometimes I receive an alert from cpanel that lfd is down, like this "FAILED: lfd". Is there anything that I can do to fix it? The "DENY_IP_LIMIT" is 200 and "DENY_TEMP_IP_LIMIT" is 100. Do you recommend upgrade both to 1000? Bt the way, has cpanel any tool to hand it? Thank you very much. Best! Joao

• 

  joaosavioli

  • September 10, 2018 15:52

  update: When an attack is happening, I can see these lot of csf proccess running: 23134 root 20 0 176004 30372 2460 D 12.3 0.1 0:00.37 csf 23135 root 20 0 175856 30288 2456 S 12.0 0.1 0:00.36 csf 23231 root 20 0 175944 30276 2456 S 12.0 0.1 0:00.36 csf 23240 root 20 0 175888 30252 2460 S 11.6 0.1 0:00.35 csf 23328 root 20 0 175788 30276 2460 S 11.6 0.1 0:00.35 csf 23181 root 20 0 175880 30272 2460 S 10.6 0.1 0:00.32 csf 23081 root 20 0 175944 30260 2456 S 8.6 0.1 0:00.42 csf 23082 root 20 0 175860 30316 2460 S 6.6 0.1 0:00.35 csf Cheers, Joao

  0
• 

  cPanelLauren

  • September 12, 2018 20:08

  Hi @joaosavioli I would recommend identifying whether or not you're actually experiencing a distributed FTP attack before making any modifications. What is in /var/log/messages
  for FTP logins when this is occurring? CSF has some posts on this subject as well: We have some other similar threads as well for example: Thanks!

  0
• 

  joaosavioli

  • September 20, 2018 14:25

  Hi! I tried a lot of things to fix it, but every time that brute force happen with a lot of ips (more than 2000 different ips), LFD has been failed. I think it was happening because brute force protection needs to add a lot of ips in block list at the same time. I've fixed this problem turning off CSF brute force for FTP, IMAP and POP3, and use cphulk for this function. Cheers Joao

  0

Please sign in to leave a comment.