-1

I'm seeing unknown IPs in results like this in the messages log on a CentOS 6 webserver, are these IPs actually accessing the machine?

Mar 13 19:11:49 server pure-ftpd: (?@some.ip.here) [INFO] New connection from some.ip.here
Mar 13 19:11:49 server pure-ftpd: (?@some.ip.here) [INFO] Logout.

I'm also seeing others that are clearly being rejected though:

Mar 13 19:14:20 server pure-ftpd: (?@some.other.ip) [INFO] New connection from some.other.ip
Mar 13 19:14:25 server pure-ftpd: (?@some.other.ip) [WARNING] Authentication failed for user [some-username]
Mar 13 19:14:25 server pure-ftpd: (?@some.other.ip) [INFO] Logout.

The only person that has full server access is me and then some end web users/bloggers have access to Wordpress sites on the server but they aren't in the countries of these IPs.

schroeder
  • 123,438
  • 55
  • 284
  • 319
goblin_rocket
  • 13
  • 2
  • "New connection from" clearly indicates that they are "actually accessing the machine". So I'm not sure what you want to know here. Are you asking if they are successfully logging in? Try logging in yourself and see how a successful login is logged. – schroeder Mar 14 '19 at 12:46

2 Answers2

0

Please do some testing with your pure-ftp service to see how it logs various events. That will answer all your questions.

What you are seeing is connections (likely from bots) to the FTP service to get the login screen, then they disconnect. Then other bots perform brute-force attacks to try to log in.

If practical, I would put IP filtering on the services you are running to limit who in the world can connect to the services in order to limit the number of probes like this.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks, I just did a test ftp connection and this is what a successfull login shows:- "Mar 14 22:34:15 server pure-ftpd: (?@my.ip) [INFO] New connection from my.ip Mar 14 22:34:16 server pure-ftpd: (?@my.ip) [INFO] website_username is now logged" in which seems to be different from those other 'connections' so I guess that means your theory on bots connecting to just the login screen is correct? – goblin_rocket Mar 15 '19 at 02:38
  • Yes, Just authentication failures are logged, so are authentication successes. – schroeder Mar 15 '19 at 09:07
  • Just as importantly, can you replicate the logs for events such as connecting but not logging in and for logging in with the wrong password? Don't just test what you expect, use standard software testing methods to confirm other use cases as well so that you understand the behaviour of this software. – schroeder Mar 15 '19 at 09:08
  • I can recreate the correct error message when trying to login with ftp using a wrong password but I cant recreate the 'New connection...logout' message, Im not sure how thats being done tbh – goblin_rocket Mar 18 '19 at 06:38
0

As was said @schroeder, "connections (likely from bots) to the FTP service to get the login screen" but not logged yet. I was able to reproduce this by ftp command from 2 different hosts:

#First connection
ftp -n ftp.server.domain
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 08:57. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
exit

#Second connection
ftp -n ftp.server.domain
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 08:57. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
exit

This connections can exhaust the connection pool, I guess.

I've just started use Fail2ban to ban connection like this, but need time to test this. My current Fail2ban configs /etc/fail2ban/jail.local for fail2ban is:

[pure-ftpd]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = pure-ftpd
action = iptables[name=Pure-FTPd, port=ftp, protocol=tcp]
 sendmail-whois[name=Pure-FTPd, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/syslog
maxretry = 3

and /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =
LocalOps
  • 1