Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2017-11-07, 22:24:02

Author Topic: LxGuard does not work for FTP hackers  (Read 2221 times)

0 Members and 1 Guest are viewing this topic.

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 3,944
  • Karma: +1/-0
    • View Profile
LxGuard does not work for FTP hackers
« on: 2013-08-16, 01:03:58 »
Code: [Select]
Aug 15 21:02:07 CentOS-64-64-minimal xinetd[494]: START: ftp pid=12470 from=::ffff:27.159.231.195
Aug 15 21:02:07 CentOS-64-64-minimal pure-ftpd: (?@27.159.231.195) [INFO] New connection from 27.159.231.195
Aug 15 21:02:13 CentOS-64-64-minimal pure-ftpd: (?@27.159.231.195) [WARNING] Authentication failed for user [qwe123]
Aug 15 21:02:13 CentOS-64-64-minimal pure-ftpd: (?@27.159.231.195) [INFO] Logout.
Aug 15 21:02:13 CentOS-64-64-minimal xinetd[494]: EXIT: ftp status=0 pid=12470 duration=6(sec)
Aug 15 21:02:13 CentOS-64-64-minimal xinetd[494]: START: ftp pid=12672 from=::ffff:27.159.233.77
Aug 15 21:02:13 CentOS-64-64-minimal pure-ftpd: (?@27.159.233.77) [INFO] New connection from 27.159.233.77
Aug 15 21:02:20 CentOS-64-64-minimal pure-ftpd: (?@27.159.233.77) [WARNING] Authentication failed for user [admin999]
Aug 15 21:02:20 CentOS-64-64-minimal pure-ftpd: (?@27.159.233.77) [INFO] Logout.
Aug 15 21:02:20 CentOS-64-64-minimal xinetd[494]: EXIT: ftp status=0 pid=12672 duration=7(sec)
Aug 15 21:02:23 CentOS-64-64-minimal xinetd[494]: START: ftp pid=13035 from=::ffff:120.43.20.127
Aug 15 21:02:23 CentOS-64-64-minimal pure-ftpd: (?@120.43.20.127) [INFO] New connection from 120.43.20.127

I see someone trying to hack my FTP and my lxguard is set to 20 failures, but this IP isn't even on the list. It seems that it only works for SSH. I'm on CentOS 6.4 64-bit.
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 3,944
  • Karma: +1/-0
    • View Profile
Re: LxGuard does not work for FTP hackers
« Reply #1 on: 2013-08-16, 01:21:38 »
I've set fail2ban and it banned these hackers almost right away :)

Mustafa can you give me a working config for all services inside Kloxo-MR ?
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: LxGuard does not work for FTP hackers
« Reply #2 on: 2013-08-16, 02:12:17 »
It's because Kloxo/Kloxo-MR think service is syslog. In my investigation, this service is rsyslog. Need fix Kloxo-MR code for this situation.

Open '/etc/rsyslog.conf' and add 'ftp.* /var/log/secure' under 'authpriv.* /var/log/secure'. And then restart with 'service rsyslog restart'.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 3,944
  • Karma: +1/-0
    • View Profile
Re: LxGuard does not work for FTP hackers
« Reply #3 on: 2013-08-16, 02:21:32 »
Quote from: "MRatWork"
It's because Kloxo/Kloxo-MR think service is syslog. In my investigation, this service is rsyslog. Need fix Kloxo-MR code for this situation.

Open '/etc/rsyslog.conf' and add 'ftp.* /var/log/secure' under 'authpriv.* /var/log/secure'. And then restart with 'service rsyslog restart'.

It doesn't work. We need a fix for rsyslog inside Kloxo-MR.
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: LxGuard does not work for FTP hackers
« Reply #4 on: 2013-08-16, 02:30:24 »
I don't think so. Kloxo/Kloxo-MR only read /var/log/secure to know who's login fail. It's with assumption who's ftp login detect by rsyslog/syslog.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: LxGuard does not work for FTP hackers
« Reply #5 on: 2013-08-16, 02:45:14 »
This is part of content of  /var/log/secure related to ftp login:
Code: [Select]
Aug 15 20:14:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Aug 15 20:14:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Aug 15 20:19:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Aug 15 20:19:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Aug 15 20:24:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Aug 15 20:24:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Aug 15 20:29:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Aug 15 20:29:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Aug 15 20:33:00 web301 pure-ftpd: (?@110.136.160.110) [INFO] New connection from 110.136.160.110
Aug 15 20:33:01 web301 pure-ftpd: (?@110.136.160.110) [INFO] spectra is now logged in
Aug 15 20:34:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Aug 15 20:34:01 web301 pure-ftpd: (?@127.0.0.1) [INFO] Logout.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 3,944
  • Karma: +1/-0
    • View Profile
Re: LxGuard does not work for FTP hackers
« Reply #6 on: 2013-08-16, 02:51:01 »
I got it too, but still does not see any FTP connections on LxGuard's list.

The failed of course.
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,381
  • Karma: +112/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: LxGuard does not work for FTP hackers
« Reply #7 on: 2013-08-16, 03:02:30 »
[attachment=0:2dy2r6g4]lxguard_ftp.png[/attachment:2dy2r6g4]

It's work in my server. You can see ftp login by spectra client.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 3,944
  • Karma: +1/-0
    • View Profile
Re: LxGuard does not work for FTP hackers
« Reply #8 on: 2013-08-16, 15:43:41 »
Now it works for my server too ;)
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 3,944
  • Karma: +1/-0
    • View Profile
Re: LxGuard does not work for FTP hackers
« Reply #9 on: 2013-08-16, 21:35:39 »
What about qmail protection ?
« Last Edit: 1970-01-01, 01:00:00 by Guest »

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.047 seconds with 18 queries.

web stats analysis
 
Mirror created by MasterkinG32.CoM