HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Server Security / email and ftp (http://www.howtoforge.com/forums/showthread.php?t=36791)

danielborene 20th June 2009 00:29

Server Security / email and ftp
 
Hello,
I have couple of questions on how to improve security of server...
I've been looking the logs shown inside of ISPConfig, and I noticed under System-Log a bunch of people connecting to my FTP Server trying to figure out password of administrator account..
here is the message i get on the log.

Jun 19 17:46:48 server pure-ftpd: (?@61.152.159.231) [WARNING] Authentication failed for user [Administrator]
Jun 19 17:47:04 server pure-ftpd: (?@61.152.159.231) [INFO] PAM_RHOST enabled. Getting the peer address
Jun 19 17:47:17 server pure-ftpd: (?@61.152.159.231) [INFO] New connection from 61.152.159.231
Jun 19 17:47:17 server pure-ftpd: (?@61.152.159.231) [INFO] PAM_RHOST enabled. Getting the peer address
Jun 19 17:47:24 server pure-ftpd: (?@61.152.159.231) [WARNING] Authentication failed for user [Administrator]
Jun 19 17:47:28 server pure-ftpd: (?@61.152.159.231) [INFO] PAM_RHOST enabled. Getting the peer address

Is there a way I can make it more secure, if somebody tries to authenticate 3 times the system block the connection from that ip adress for a determined amount of time..??

The second question is...
On ISPCOnfig under Mail Warn-Log, looks like spammers a trying to user mail smtp server to send emails.
This is the message show on the log:

Jun 18 09:50:14 server postfix/smtpd[19299]: warning: 76.76.122.116: address not listed for hostname generic.gogax.com
Jun 18 10:07:26 server postfix/smtpd[20894]: warning: 92.255.64.20: hostname otr-gw5.lentel.ru verification failed: No address associated with hostname
Jun 18 11:11:24 server postfix/smtpd[26056]: warning: 93.178.214.124: hostname 124-214-178-93.lviv.farlep.net verification failed: No address associated with hostname
Jun 18 13:06:22 server postfix/smtpd[4212]: warning: 78.164.146.209: hostname dsl78.164-37585.ttnet.net.tr verification failed: No address associated with hostname
Jun 18 13:11:51 server postfix/smtpd[4884]: warning: 88.246.80.137: hostname dsl88-246-20617.ttnet.net.tr verification failed: No address

I know my server is already setup to require authentication before sending emails... is this something I need to worry about?
Can I make my smtp server more secure?

Thank you.

Croydon 20th June 2009 10:05

Hi,

maybe you can have a look at OSSEC (http://www.ossec.net/main/downloads/).
Had some good experiences with this.

till 20th June 2009 10:37

Also take a look at the fail2ban configuration as fail2ban is part of every ispconfig 3 setup if you followed the perfect server guides for ispconfig 3:

http://www.howtoforge.com/fail2ban_debian_etch

danielborene 20th June 2009 16:02

Quote:

Originally Posted by till (Post 195525)
Also take a look at the fail2ban configuration as fail2ban is part of every ispconfig 3 setup if you followed the perfect server guides for ispconfig 3:

http://www.howtoforge.com/fail2ban_debian_etch

Thanks for the reply,
On my fail2ban log inside of ispconfig, it keeps showing this error message:

....
2009-06-19 21:07:28,425 fail2ban.filter : INFO Set findtime = 600
2009-06-19 21:07:28,426 fail2ban.server : ERROR Unexpected communication error
2009-06-19 21:07:28,426 fail2ban.actions: INFO Set banTime = 600
2009-06-19 21:07:28,487 fail2ban.server : ERROR Unexpected communication error
2009-06-19 21:07:28,526 fail2ban.jail : INFO Jail 'ssh' started
2009-06-20 00:40:16,922 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2009-06-20 00:41:01,972 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2009-06-20 00:44:50,334 fail2ban.jail : INFO Jail 'ssh' stopped
2009-06-20 00:44:50,347 fail2ban.server : INFO Exiting Fail2ban
2009-06-20 00:45:52,467 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-06-20 00:45:52,474 fail2ban.jail : INFO Creating new jail 'ssh'
2009-06-20 00:45:52,474 fail2ban.jail : INFO Jail 'ssh' uses poller
2009-06-20 00:45:52,531 fail2ban.server : ERROR Unexpected communication error
2009-06-20 00:45:52,592 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2009-06-20 00:45:52,593 fail2ban.server : ERROR Unexpected communication error
2009-06-20 00:45:52,593 fail2ban.filter : INFO Set maxRetry = 6
2009-06-20 00:45:52,595 fail2ban.filter : INFO Set findtime = 600
....

Also, the instructions at the link you gave me does no include instruction how to add pureftpd in it, do you know what are the config lines I have to add for pureftpd?

in the instruction says to create new file named jail.local, my question is, will the system automatically load jail.local instead of jail.conf?

danielborene 20th June 2009 17:29

I think I've got it.. I found some information online,

fail2ban already has a filter under filter.d I have added the following lines to jail.local
[pure-ftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 3

are the configurations above correct?

Thanks

till 21st June 2009 13:04

The best way to check this if you simply try to login 3 times with a wrong password and then check the fail2ban.log.

danielborene 21st June 2009 15:39

Quote:

Originally Posted by till (Post 195727)
The best way to check this if you simply try to login 3 times with a wrong password and then check the fail2ban.log.

I can't make it work for pure-ftpd, fail2ban is working for everything else, postfix, courier, ssh.. but ftp is not.

here's the message under fail2ban log when i try to logi via ftp.

2009-06-21 07:41:09,052 fail2ban.filter : WARNING Unable to find a corresponding IP address for ::1

it seems like fail2ban is not able to identify the ipaddress of the person trying to connect.. but when i go to system log, i see that pure-ftpd show a ipaddress of the person truing to connect..

What could be wrong?

till 21st June 2009 15:40

Please post the content of your /etc/hosts file. Also you can try to disable IPv6 for pureftpd.

danielborene 22nd June 2009 01:34

Quote:

Originally Posted by till (Post 195750)
Please post the content of your /etc/hosts file. Also you can try to disable IPv6 for pureftpd.

This is my /etc/hosts
127.0.0.1 server.synkrotek.net localhost.localdomain localhost
192.168.10.95 server.synkrotek.net server

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

----------------------------------------------------
Ok,
This is what I found out.
The error I was getting on /var/log/fail2ban.log
2009-06-19 21:07:28,487 fail2ban.server : ERROR Unexpected communication error
It's related to the python version, some type o incompatibility with ubuntu 9.04, this is what you have to do to fix this error:
1. Install python2.5 ( sudo aptitude install python2.5 )
2. edit file /usr/bin/fail2ban-server , change the very firs line "#!/usr/bin/python" to "#/usr/bin/python2.5"
3. restart fail2ban

When I connect via FTP with a wrong user/passwd this what I get under /var/log/auth.log
Jun 21 21:03:56 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): check pass; user unknown
Jun 21 21:03:56 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=admin rhost=
*** where rhost= should show the ip address of the host. (This is connecting from a computer on my Network **

But, if I go and open /var/log/message log it shows the hosts ip
Jun 21 22:51:07 server pure-ftpd: (?@192.168.10.100) [INFO] New connection from 192.168.10.100
Jun 21 22:51:11 server pure-ftpd: (?@192.168.10.100) [INFO] PAM_RHOST enabled. Getting the peer address
Jun 21 22:51:17 server pure-ftpd: (?@192.168.10.100) [WARNING] Authentication failed for user [admin]

If I connect from a computer oustide ofmy netwotk, this is what I see inside of /var/log/auth.log
Jun 21 20:20:38 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): check pass; user unknown
Jun 21 20:20:38 server pure-ftpd: pam_unix_auth(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=admin rhost=c-68-32-75-137.hsd1.ga.comcast.net
** Where rhost= is showing ( I dont know what you call full host address like that... ) it should display regular ip address, and I guess fail2ban can not parse this address to iptables because its not a regular ip adrress. Am I correct? **
The same host is shown inside of /var/log/messages displaying full host name.

When I connect from localhost, auth.log shows rhost=server.synkrotek.net

Although, people with regular ip address trying to hack my system had regular ip address, and /var/log/messages display their ip, but not under auth.log (rhost)

Why is fail2ban pure-ftpd is able to get full hostname and not their ip address? what do I have to do?

till 22nd June 2009 11:23

Not all IP adresses have a reverse dns record, so you often do not get a hostname for an IP, thats absolutely normal. If there is an reverse record like in your test case, then the hostname and not IP is logged. If you wont only IP addresses in the log, then enable the DontResolve option in your pureftpd configuration.


All times are GMT +2. The time now is 12:22.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.