failed ftp logins
Of late, I'm seeing a number of failed ftp logins.
I'm aware that HostAccessControl has no effect on pureftp.
What I a little confused with is CSF has port 20 and 21 closed, so I'm not sure how these are getting through.
Nov 18 16:13:29 leeds pure-ftpd: (?@123.232.19.90) [INFO] New connection from 123.232.19.90
Nov 18 16:13:29 leeds pure-ftpd: (?@123.232.19.90) [INFO] New connection from 123.232.19.90
Nov 18 16:13:29 leeds pure-ftpd: (?@123.232.19.90) [INFO] New connection from 123.232.19.90
Nov 18 16:13:30 leeds pure-ftpd: (?@123.232.19.90) [INFO] New connection from 123.232.19.90
Nov 18 16:13:35 leeds pure-ftpd: (?@123.232.19.90) [WARNING] Authentication failed for user [name]
Nov 18 16:13:35 leeds pure-ftpd: (?@123.232.19.90) [INFO] Logout.
Nov 18 16:13:35 leeds pure-ftpd: (?@123.232.19.90) [WARNING] Authentication failed for user [anonymous]
Nov 18 16:13:35 leeds pure-ftpd: (?@123.232.19.90) [INFO] Logout.
Nov 18 16:13:35 leeds pure-ftpd: (?@123.232.19.90) [WARNING] Authentication failed for user [www]
Nov 18 16:13:35 leeds pure-ftpd: (?@123.232.19.90) [INFO] Logout.
Nov 18 16:13:36 leeds pure-ftpd: (?@123.232.19.90) [WARNING] Authentication failed for user [anonymous]
Nov 18 16:13:36 leeds pure-ftpd: (?@123.232.19.90) [INFO] Logout.
Messages log doesn't show me if these attempts are via any other port.
Any ideas ?
-
Hi, Can you check if those ports are still listening on those ports? # netstat -anpt | grep :21 If you do not want to have connection on those port, then it will best for you to just change the BIND section to different port, so you can change it to different port than common 21 for FTP. # cat /etc/pure-ftpd.conf | grep Bind 0 -
The Netstat didn't reveal anything. And there are no entries in messages/log since this morning, however, i've no doubt that i'll find them again in the morning. Maybe changing the FTP port isn't a bad idea 0 -
A more accurate way to determine whether or not a port is open would be to run something similar to the following from outside your server: sudo nmap -sU -sT -p 20,21 Starting Nmap 7.00 ( https://nmap.org ) at 2019-11-20 17:20 CST Nmap scan report for () Host is up (0.010s latency). PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 20/udp closed ftp-data 21/udp closed ftp Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
netstat will just show you what is listening on those ports, and it's perfectly reasonable to expect FTP to be listening on 20 and 21. To see what iptables has blocked you can view:iptables -L -n0 -
As there is really only myself who has FTP access, I configured CSF to ban on a single ftp login failure. I'm no longer seeing any failed ftp logins, but this might just mean that they admitted defeat and went away. 0
Please sign in to leave a comment.
Comments
4 comments