vsftp server being hit repeatedly by someone from ipvanish.com

Issues related to applications and software problems
Post Reply
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

vsftp server being hit repeatedly by someone from ipvanish.com

Post by lightman47 » 2018/04/21 15:29:42

I have someone from ipvanish.com who's hammering away at my vsftp server. As they spoof a different address with each attempt, fail2ban doesn't catch/block them. I found this by perusing /var/log/secure, as I do every so often.

As there is no single IP associated, how can I permanently block ipvanish.com in it's entirety? Any ideas? I'm considering changing my ftp port but that's not a real fix, and I'm already playing that game with SSH.

Thank you.

EDIT:
I've added "ALL: .ipvanish.com" to /etc/hosts.deny. Not sure that accomplishes what I want.

EDIT2:
Regardless of what permutation of that site I used (leading "." or not), /var/log/secure began complaining about the entry, but more about the DNS identification of the machine that edited the file via SSH (but listing the line number 14 of the new entry in hosts.deny!) This is crazy.

Code: Select all

Apr 21 13:14:23 wlinux sshd[3903]: warning: /etc/hosts.deny, line 14: host name/name mismatch: machine != machine.domain
Once I commented out the new entry in hosts.deny (line 14) this silliness stopped. Obviously then, hosts.deny gets parsed at every (remote) login. It would then seem that DNS (dnsmasq on my Edge Router Lite) suffers some issue when name resolution occurs and issues this warning? I might mention that the ftp server is BEHIND my Edge Router Lite.

Entry in Edge Router HOSTS file for this offending laptop:

Code: Select all

192.168.n.nn	 machine machine.domain machine.externalDDNS.domain
This is non-critical, of course, but I'd like to
1. block 'ipvanish'
2. find out what I did wrong here

Thanks, again.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: vsftp server being hit repeatedly by someone from ipvanish.com

Post by hunter86_bg » 2018/04/22 14:03:38

I would recommend you to first try to contact ipvanish.com with exact time stamps when the offender tried to gain access.They might take some actions.
Also check their server's list and blacklist them all.Is your fail2ban blocking the IPs permanently?

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: vsftp server being hit repeatedly by someone from ipvanish.com

Post by TrevorH » 2018/04/22 14:05:51

Why do you suspect ipvanish.com when the attack is coming from multiple ip addresses?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: vsftp server being hit repeatedly by someone from ipvanish.com

Post by hunter86_bg » 2018/04/22 14:10:02

Also in order vsftpd to go through /etc/hosts.deny you need to set:

Code: Select all

tcp_wrappers=yes
Then set in hosts.deny:

Code: Select all

vsftpd: .ipvanish.com

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: vsftp server being hit repeatedly by someone from ipvanish.com

Post by lightman47 » 2018/04/22 14:24:26

Why do you suspect ipvanish.com when the attack is coming from multiple ip addresses?
Because:

Code: Select all

Apr 16 06:20:11 wlin vsftpd[18907]: pam_succeed_if(vsftpd:auth): requirement "uid >= 1000" not met by user "ftp"
Apr 16 06:46:34 wlin vsftpd[19771]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 06:46:34 wlin vsftpd[19771]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=69-16-147-133.ipvanish.com
Apr 16 16:53:55 wlin vsftpd[10977]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 16:53:55 wlin vsftpd[10977]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=mm-143-20-121-178.dynamic.pppoe.mgts.by
Apr 16 17:37:15 wlin vsftpd[12684]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 17:37:15 wlin vsftpd[12684]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-57-98.ipvanish.com
Apr 16 21:28:32 wlin vsftpd[21587]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 21:28:32 wlin vsftpd[21587]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=l5-128-176-10.cn.ru
Apr 16 23:24:40 wlin vsftpd[25950]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 23:24:40 wlin vsftpd[25950]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=69-16-147-124.ipvanish.com
Apr 17 05:43:33 wlin vsftpd[6474]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 17 05:43:33 wlin vsftpd[6474]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-98-145.ipvanish.com
Apr 17 11:54:05 wlin vsftpd[19883]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 17 11:54:05 wlin vsftpd[19883]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=173-245-211-164.ipvanish.com
Apr 17 23:21:29 wlin vsftpd[14593]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 17 23:21:29 wlin vsftpd[14593]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-98-97.ipvanish.com
Apr 18 10:54:38 wlin vsftpd[6751]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 18 10:54:38 wlin vsftpd[6751]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=185.174.157.22
Apr 18 17:45:26 wlin vsftpd[22809]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 18 17:45:26 wlin vsftpd[22809]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-98-170.ipvanish.com
Apr 19 00:16:51 wlin vsftpd[4525]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 00:16:51 wlin vsftpd[4525]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=205.185.198.221
Apr 19 06:22:28 wlin vsftpd[16558]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 06:22:28 wlin vsftpd[16558]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-56-172.ipvanish.com
Apr 19 09:57:43 wlin vsftpd[25428]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 09:57:43 wlinux vsftpd[25428]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=ip13.ip-51-38-12.eu
Apr 19 12:11:32 wlin vsftpd[30720]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 12:11:32 wlin vsftpd[30720]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=205-185-222-111.ipvanish.com
Apr 19 18:31:06 wlin vsftpd[13737]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 18:31:06 wlin vsftpd[13737]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=209.107.210.242
Apr 20 02:48:34 wlin vsftpd[30773]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 02:48:34 wlin vsftpd[30773]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=173-245-211-114.ipvanish.com
Apr 20 07:14:30 wlin unix_chkpwd[7820]: password check failed for user (ftp)
Apr 20 07:14:30 wlin vsftpd[7817]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=ftp rhost=103.36.122.85  user=ftp
Apr 20 07:14:30 wlin vsftpd[7817]: pam_succeed_if(vsftpd:auth): requirement "uid >= 1000" not met by user "ftp"
Apr 20 09:37:41 wlin vsftpd[13351]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 09:37:41 wlin vsftpd[13351]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=ns3086681.ip-94-23-39.euApr 16 06:20:11 wlinux vsftpd[18907]: pam_succeed_if(vsftpd:auth): requirement "uid >= 1000" not met by user "ftp"
Apr 16 06:46:34 wlinux vsftpd[19771]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 06:46:34 wlinux vsftpd[19771]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=69-16-147-133.ipvanish.com
Apr 16 16:53:55 wlinux vsftpd[10977]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 16:53:55 wlinux vsftpd[10977]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=mm-143-20-121-178.dynamic.pppoe.mgts.by
Apr 16 17:37:15 wlinux vsftpd[12684]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 17:37:15 wlinux vsftpd[12684]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-57-98.ipvanish.com
Apr 16 21:28:32 wlinux vsftpd[21587]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 21:28:32 wlinux vsftpd[21587]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=l5-128-176-10.cn.ru
Apr 16 23:24:40 wlinux vsftpd[25950]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 16 23:24:40 wlinux vsftpd[25950]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=69-16-147-124.ipvanish.com
Apr 17 05:43:33 wlinux vsftpd[6474]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 17 05:43:33 wlinux vsftpd[6474]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-98-145.ipvanish.com
Apr 17 11:54:05 wlinux vsftpd[19883]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 17 11:54:05 wlinux vsftpd[19883]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=173-245-211-164.ipvanish.com
Apr 17 23:21:29 wlinux vsftpd[14593]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 17 23:21:29 wlinux vsftpd[14593]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-98-97.ipvanish.com
Apr 18 10:54:38 wlinux vsftpd[6751]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 18 10:54:38 wlinux vsftpd[6751]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=185.174.157.22
Apr 18 17:45:26 wlinux vsftpd[22809]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 18 17:45:26 wlinux vsftpd[22809]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-98-170.ipvanish.com
Apr 19 00:16:51 wlinux vsftpd[4525]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 00:16:51 wlinux vsftpd[4525]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=205.185.198.221
Apr 19 06:22:28 wlinux vsftpd[16558]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 06:22:28 wlinux vsftpd[16558]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-56-172.ipvanish.com
Apr 19 09:57:43 wlinux vsftpd[25428]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 09:57:43 wlinux vsftpd[25428]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=ip13.ip-51-38-12.eu
Apr 19 12:11:32 wlinux vsftpd[30720]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 12:11:32 wlinux vsftpd[30720]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=205-185-222-111.ipvanish.com
Apr 19 18:31:06 wlinux vsftpd[13737]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 19 18:31:06 wlinux vsftpd[13737]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=209.107.210.242
Apr 20 02:48:34 wlinux vsftpd[30773]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 02:48:34 wlinux vsftpd[30773]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=173-245-211-114.ipvanish.com
Apr 20 07:14:30 wlinux unix_chkpwd[7820]: password check failed for user (ftp)
Apr 20 07:14:30 wlinux vsftpd[7817]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=ftp rhost=103.36.122.85  user=ftp
Apr 20 07:14:30 wlinux vsftpd[7817]: pam_succeed_if(vsftpd:auth): requirement "uid >= 1000" not met by user "ftp"
Apr 20 09:37:41 wlinux vsftpd[13351]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 09:37:41 wlinux vsftpd[13351]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=ns3086681.ip-94-23-39.eu
Apr 20 10:35:23 wlinux vsftpd[15606]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 10:35:23 wlinux vsftpd[15606]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=173-245-211-92.ipvanish.com
Apr 20 16:34:45 wlinux vsftpd[29834]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 16:34:45 wlinux vsftpd[29834]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-85-90.ipvanish.com

Apr 20 10:35:23 wlin vsftpd[15606]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 10:35:23 wlin vsftpd[15606]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=173-245-211-92.ipvanish.com
Apr 20 16:34:45 wlin vsftpd[29834]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 20 16:34:45 wlin vsftpd[29834]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=anonymous rhost=81-171-85-90.ipvanish.com

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: vsftp server being hit repeatedly by someone from ipvanish.com

Post by TrevorH » 2018/04/22 14:50:02

That's not exactly high volume. I'd just implement fail2ban and move on with life.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: vsftp server being hit repeatedly by someone from ipvanish.com

Post by lightman47 » 2018/04/22 14:56:13

OK - do already have fail2ban.

Thanks

Post Reply