Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th June 2009, 01:29
danielborene danielborene is offline
Junior Member
 
Join Date: Jun 2009
Posts: 24
Thanks: 7
Thanked 2 Times in 1 Post
Default Server Security / email and ftp

Hello,
I have couple of questions on how to improve security of server...
I've been looking the logs shown inside of ISPConfig, and I noticed under System-Log a bunch of people connecting to my FTP Server trying to figure out password of administrator account..
here is the message i get on the log.

Jun 19 17:46:48 server pure-ftpd: (?@61.152.159.231) [WARNING] Authentication failed for user [Administrator]
Jun 19 17:47:04 server pure-ftpd: (?@61.152.159.231) [INFO] PAM_RHOST enabled. Getting the peer address
Jun 19 17:47:17 server pure-ftpd: (?@61.152.159.231) [INFO] New connection from 61.152.159.231
Jun 19 17:47:17 server pure-ftpd: (?@61.152.159.231) [INFO] PAM_RHOST enabled. Getting the peer address
Jun 19 17:47:24 server pure-ftpd: (?@61.152.159.231) [WARNING] Authentication failed for user [Administrator]
Jun 19 17:47:28 server pure-ftpd: (?@61.152.159.231) [INFO] PAM_RHOST enabled. Getting the peer address

Is there a way I can make it more secure, if somebody tries to authenticate 3 times the system block the connection from that ip adress for a determined amount of time..??

The second question is...
On ISPCOnfig under Mail Warn-Log, looks like spammers a trying to user mail smtp server to send emails.
This is the message show on the log:

Jun 18 09:50:14 server postfix/smtpd[19299]: warning: 76.76.122.116: address not listed for hostname generic.gogax.com
Jun 18 10:07:26 server postfix/smtpd[20894]: warning: 92.255.64.20: hostname otr-gw5.lentel.ru verification failed: No address associated with hostname
Jun 18 11:11:24 server postfix/smtpd[26056]: warning: 93.178.214.124: hostname 124-214-178-93.lviv.farlep.net verification failed: No address associated with hostname
Jun 18 13:06:22 server postfix/smtpd[4212]: warning: 78.164.146.209: hostname dsl78.164-37585.ttnet.net.tr verification failed: No address associated with hostname
Jun 18 13:11:51 server postfix/smtpd[4884]: warning: 88.246.80.137: hostname dsl88-246-20617.ttnet.net.tr verification failed: No address

I know my server is already setup to require authentication before sending emails... is this something I need to worry about?
Can I make my smtp server more secure?

Thank you.
Reply With Quote
Sponsored Links
  #2  
Old 20th June 2009, 11:05
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 932
Thanks: 16
Thanked 263 Times in 208 Posts
Default

Hi,

maybe you can have a look at OSSEC (http://www.ossec.net/main/downloads/).
Had some good experiences with this.
Reply With Quote
  #3  
Old 20th June 2009, 11:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,769
Thanks: 840
Thanked 5,609 Times in 4,420 Posts
Default

Also take a look at the fail2ban configuration as fail2ban is part of every ispconfig 3 setup if you followed the perfect server guides for ispconfig 3:

http://www.howtoforge.com/fail2ban_debian_etch
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 20th June 2009, 17:02
danielborene danielborene is offline
Junior Member
 
Join Date: Jun 2009
Posts: 24
Thanks: 7
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by till View Post
Also take a look at the fail2ban configuration as fail2ban is part of every ispconfig 3 setup if you followed the perfect server guides for ispconfig 3:

http://www.howtoforge.com/fail2ban_debian_etch
Thanks for the reply,
On my fail2ban log inside of ispconfig, it keeps showing this error message:

....
2009-06-19 21:07:28,425 fail2ban.filter : INFO Set findtime = 600
2009-06-19 21:07:28,426 fail2ban.server : ERROR Unexpected communication error
2009-06-19 21:07:28,426 fail2ban.actions: INFO Set banTime = 600
2009-06-19 21:07:28,487 fail2ban.server : ERROR Unexpected communication error
2009-06-19 21:07:28,526 fail2ban.jail : INFO Jail 'ssh' started
2009-06-20 00:40:16,922 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2009-06-20 00:41:01,972 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2009-06-20 00:44:50,334 fail2ban.jail : INFO Jail 'ssh' stopped
2009-06-20 00:44:50,347 fail2ban.server : INFO Exiting Fail2ban
2009-06-20 00:45:52,467 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-06-20 00:45:52,474 fail2ban.jail : INFO Creating new jail 'ssh'
2009-06-20 00:45:52,474 fail2ban.jail : INFO Jail 'ssh' uses poller
2009-06-20 00:45:52,531 fail2ban.server : ERROR Unexpected communication error
2009-06-20 00:45:52,592 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2009-06-20 00:45:52,593 fail2ban.server : ERROR Unexpected communication error
2009-06-20 00:45:52,593 fail2ban.filter : INFO Set maxRetry = 6
2009-06-20 00:45:52,595 fail2ban.filter : INFO Set findtime = 600
....

Also, the instructions at the link you gave me does no include instruction how to add pureftpd in it, do you know what are the config lines I have to add for pureftpd?

in the instruction says to create new file named jail.local, my question is, will the system automatically load jail.local instead of jail.conf?
Reply With Quote
  #5  
Old 20th June 2009, 18:29
danielborene danielborene is offline
Junior Member
 
Join Date: Jun 2009
Posts: 24
Thanks: 7
Thanked 2 Times in 1 Post
Default

I think I've got it.. I found some information online,

fail2ban already has a filter under filter.d I have added the following lines to jail.local
[pure-ftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 3

are the configurations above correct?

Thanks
Reply With Quote
  #6  
Old 21st June 2009, 14:04
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,769
Thanks: 840
Thanked 5,609 Times in 4,420 Posts
Default

The best way to check this if you simply try to login 3 times with a wrong password and then check the fail2ban.log.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Tags
email, ftp, ispconfig 3, secuirty

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP cannot open remote folder!?! andysm849 Server Operation 23 17th October 2008 00:34
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server) Derekman9 HOWTO-Related Questions 1 15th October 2008 14:35
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig (a.k.a. The Perfect Server) madman045 HOWTO-Related Questions 4 1st May 2008 21:45
Can't start apache Musty Server Operation 12 9th March 2008 14:58
CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig aaa999 Server Operation 8 20th December 2007 17:30


All times are GMT +2. The time now is 01:43.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.