No E-Mail and no Blocking of mail/ftp/etc. Logins

[noox]

I'm new to ASL. I'm currently in the test period and I'm planing to buy it afterwards. I have a CPanel-Server. Previously I used ConfigServer CSF and LFD. I uninstalled these programs before installing ASL.

Currently I have two issues.

First: I do not get any mail except from rkhunter (two each night - before I installed ASL I used rkhunter just on demand and removed it before installing ASL).

I have a lot of security events (mainly from WAF). I have set
OSSEC_ACTIVE_RESPONSE to YES
OSSEC_MAX_MSG 60
HIDS_EMAIL_ALERT_LEVEL 7

I found somewhere I should check for ossec-maild:

Code: Select all

ps auxwww | grep ossec
ossecm   14721  0.0  0.0 133676 10228 ?        S    22:34   0:00 /var/ossec/bin/ossec-dbd
ossecm   14726  0.0  0.0   8608   492 ?        S    22:34   0:00 /var/ossec/bin/ossec-maild
ossec    14735  0.2  0.0  17480  9500 ?        S    22:34   0:08 /var/ossec/bin/ossec-analysisd
root     14739  0.0  0.0   6540   512 ?        S    22:34   0:00 /var/ossec/bin/ossec-logcollector
root     14765  0.0  0.0   8952  2948 ?        S    22:34   0:02 /var/ossec/bin/ossec-syscheckd
ossec    14769  0.0  0.0   8704   420 ?        S    22:34   0:00 /var/ossec/bin/ossec-monitord
root     15448  0.0  0.0  15656  1172 ?        S    Jan13   0:01 /var/ossec/bin/ossec-execd
root     32155  0.0  0.0 103304   836 pts/2    S+   23:34   0:00 grep ossec

When I first did this, I got <defunct> for ossec-maild, but after a restared it seems to be ok. I already tried different email addresses.

Is there something else I could check?


Second: Before I had ASL installed, LFD blocked a lot of IPs because of repeated authentications failures (ftpd, smtpauth, htpasswd, pop3d)

But I did not see any such blocks with ASL. When I reduced the filter to 5 I saw an IP which tried to login to pop3 every 17 seconds all day long (about 4000 times):

Code: Select all

myservername dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<je>, method=PLAIN, rip=192.111.78.158, lip=myip, session=<2jMLuQnwKADAb06e>

I read something about slow attacks in the forum here. Does ASL not detect and block them? And what about the other services like FTP oder SMTP?

When I restart ASL the OSSEC part says:

Code: Select all

Checking ossec-hids settings
  Checking for ossec-hids installation: installed          [OK]
  ossec-hids set to: enabled                               [OK]
  OSSEC is configured in server mode.
    Checking for server installation: installed            [OK]
    Enable email notification: enabled                     [OK]
    Notifications to address: hs.offnetwork@aon.at         [OK]
    Notifications from address: asl@dorado.nooxserver.com  [OK]
    SMTP server: 127.0.0.1                                 [OK]
    Max email per hour setting: 60                         [OK]
    Active Response: enabled                               [OK]
    Active Response timeout: 600                           [OK]

    Verifying OSSEC whitelists
      checking: 46.4.89.8                                  [OK]
      checking: 127.0.0.1                                  [OK]
      checking: 178.190.219.193                            [OK]
    Excessive whitelists not detected: 3                   [OK]

    Checking for monitored log files
      /var/log/messages: monitored                         [OK]
      /var/log/secure: monitored                           [OK]
      /var/log/maillog: monitored                          [OK]
      /var/log/httpd/access_log: monitored                 [OK]
      /var/log/httpd/audit_log: monitored                  [OK]
      /var/log/tortixd/audit_log: monitored                [OK]
      /var/log/httpd/error_log: monitored                  [OK]
      /var/log/httpd/suexec_log: monitored                 [OK]
      /var/log/mysqld.log: monitored                       [OK]

Reloading ossec-hids:                                      [  OK  ]

With LFD I had much more attacks to SMTP and FTP than to POP3. Is there a possibility to block these login attempts with ASL too? E.g. after 10 attempts in 5 minutes? Has this something to do with HIDS_analysisd_default_timeframe? Could not find a discription for these HIDS-values.

[mikeshinn]

For your mail issue, what do you see in your mail logs? If you dont see anything coming from OSSEC then the most common issues are:

1) firewall rules blocking you
2) mail server not running
3) mail server misconfigured (on cpanel thats usually that SPF isnt setup right and its rejecting the mail)
4) your server cant resolve either your domain or the SMTP server you configured
5) mail server isnt listening on port 25
6) spam filter issues in your mail server config

Check your mail servers logs as a short cut. IF you dont see anything obvious, I just put together a troubleshooting guide for you that covers every possible thing I could think of that might be wrong or misconfigured with your server.

https://www.atomicorp.com/wiki/index.ph ... s_from_ASL

If I missed something, let me know and let us know what you find out is going on with your system.

[scott]

Ok I see whats going on, thats a different format for the log than in other versions of cpanel. So the decoder doesn't know how to detect the IP address in the version you're in. Not a hard fix, out of curiosity which version of cpanel are you using?

[noox]

Ok I see whats going on, thats a different format for the log than in other versions of cpanel. So the decoder doesn't know how to detect the IP address in the version you're in. Not a hard fix, out of curiosity which version of cpanel are you using?

Thanks for the replies. I'll check the mail issue later.

I'm using CPanel 11.40.1 (build 0). It's the latest "Release" version.
WHM says:

Code: Select all

CENTOS 6.5 x86_64 standard – myServerName  | WHM 11.40.1 (build 9)

I'm usinge the ASL kernel.

There is an option in WHM where you can choose your mailserver. I think I had Courier before. But it seems like CPanel now favors Dovecot ("This is the default choice.").

I just saw that I missed something in the log line:

Code: Select all

Jan 15 22:25:17 myHostNameWithoutDomain  dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<franco>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<94//8AjwLwDAb06e>
Jan 15 22:25:34 myHostNameWithoutDomain dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<friday>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<ab4C8gjwjwDAb06e>
Jan 15 22:25:51 myHostNameWithoutDomain dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gabby>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<vuQF8wjwywDAb06e>
Jan 15 22:26:08 myServerName dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gabe>, method=PLAIN, rip=192.111.78.158, lip=46.4.89.8, session=<jDUJ9AjwnQDAb06e>
Jan 15 22:26:28 myHostNameWithoutDomain  dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gabi>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<GEg69QjwVgDAb06e>
Jan 15 22:26:45 myHostNameWithoutDomain dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gabriela>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<exlF9gjwGADAb06e>
Jan 15 22:27:02 myHostNameWithoutDomain dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gabriel>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<OjFI9wjwJwDAb06e>
Jan 15 22:27:19 myHostNameWithoutDomain dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gabriella>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<9FlL+AjwdADAb06e>
Jan 15 22:27:39 myHostNameWithoutDomain dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gaby>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<R2B8+QjwzQDAb06e>
Jan 15 22:27:56 myHostNameWithoutDomain dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gada>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<2tt/+gjwpgDAb06e>
Jan 15 22:28:13 myHostNameWithoutDomain  dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<gad>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<d02D+wjw5ADAb06e>

or

Code: Select all

Jan 15 23:26:15 myHostNameWithoutDomain dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 180 secs): user=<jojo>, method=PLAIN, rip=192.111.78.158, lip=46.x.y.z, session=<XdJSwQnwtADAb06e>

I also saw that the SMTP-Errors are logged to /var/log/exim_reject

Code: Select all

2014-01-16 05:54:06 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:52648: 535 Incorrect authentication data (set_id=test@downhill-rangers.com)
2014-01-16 05:54:10 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:52684: 535 Incorrect authentication data (set_id=test@downhillschrott.com)
2014-01-16 05:54:11 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:52743: 535 Incorrect authentication data (set_id=test@dh-rangers.com)
2014-01-16 05:54:13 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:52818: 535 Incorrect authentication data (set_id=test@downhill-rangers.com)
2014-01-16 05:54:19 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53046: 535 Incorrect authentication data
2014-01-16 05:54:19 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53097: 535 Incorrect authentication data
2014-01-16 05:54:20 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53113: 535 Incorrect authentication data
2014-01-16 05:54:21 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53154: 535 Incorrect authentication data
2014-01-16 05:54:23 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53242: 535 Incorrect authentication data
2014-01-16 05:54:37 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53749: 535 Incorrect authentication data
2014-01-16 05:54:38 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53843: 535 Incorrect authentication data
2014-01-16 05:54:39 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:53954: 535 Incorrect authentication data
2014-01-16 05:54:41 dovecot_login authenticator failed for 108.168.250.170-static.reverse.softlayer.com (USER) [108.168.250.170]:54023: 535 Incorrect authentication data

2014-01-16 20:25:34 H=(microsof-088e7c) [217.8.95.146]:63746 rejected MAIL <info@bico.su>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2014-01-16 20:25:42 dovecot_login authenticator failed for 38215.vs.webtropia.com (ylmf-pc) [62.141.38.215]:61817: 535 Incorrect authentication data
2014-01-16 20:25:50 H=(customer-187-237-215-98.uninet-ide.com.mx) [187.237.215.98]:1943 F=<eiyeobnpz@00359.net> rejected RCPT <tyqsanq327@domainonmyserver.com>: No Such User Here"
2014-01-16 20:25:52 dovecot_login authenticator failed for 38215.vs.webtropia.com (ylmf-pc) [62.141.38.215]:62815: 535 Incorrect authentication data
2014-01-16 20:25:53 H=([84.79.136.249]) [84.79.136.249]:4160 F=<volepfs@portalsado.com> rejected RCPT <zmkyyauhg170@domainonmyserver.com>: No Such User Here"
2014-01-16 20:25:54 H=93-86-103-135.dynamic.isp.telekom.rs [93.86.103.135]:3761 F=<hajdoot@datasmith.net> rejected RCPT <sxvbpgrom831@26zoll.com>: No Such User Here"
2014-01-16 20:25:55 H=net-93-67-192-255.cust.dsl.vodafone.it ([46.182.90.79]) [93.67.192.255]:62572 F=<wpxehiqanupe@jazfry.com> rejected RCPT <cpiyhhvw837@domainonmyserver.com>: No Such User Here"
2014-01-16 20:25:56 H=boi59-4-82-240-113-18.fbx.proxad.net [82.240.113.18]:30804 F=<ixgilgdpkg@menagulfgate.com> rejected RCPT <ctpaduivp871@26zoll.com>: No Such User Here"
2014-01-16 20:25:59 H=222.17.217.87.dynamic.jazztel.es (95.19.217.87.dynamic.jazztel.es) [87.217.17.222]:65145 F=<ilpfcwmbv@fusionjewellers.com.au> rejected RCPT <fvgxp194@domainonmyserver.com>: No Such User Here"

In the exim reject log I saw the reason, why I did not get the mails:

Code: Select all

2014-01-16 20:32:02 H=localhost (notify.ossec.net) [127.0.0.1]:41582 sender verify fail for <asl@myhost.mydomain.com>: Unrouteable address
2014-01-16 20:32:02 H=localhost (notify.ossec.net) [127.0.0.1]:41582 F=<asl@myhost.mydomain.com> rejected RCPT <anything.offnetwork@myprovider.at>: Sender verify failed

I changed the sender email from asl@myhostname.com to root@.... Now I'm receiving the mails. I'm just asking myself why I did not look into that earlier .

[noox]

I also found these Logs in /var/log/messages:

Code: Select all

Jan 16 21:20:04 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:05 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.info]
Jan 16 21:20:05 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:05 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:07 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.info]
Jan 16 21:20:07 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:07 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:09 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.com]
Jan 16 21:20:09 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:09 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:11 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.info]
Jan 16 21:20:11 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:11 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:12 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.com]
Jan 16 21:20:12 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:12 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:12 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.info]
Jan 16 21:20:12 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:13 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:14 hostnameWithoutDomain pure-ftpd: (?@93.74.149.209) [INFO] New connection from 93.74.149.209
Jan 16 21:20:15 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.info]
Jan 16 21:20:15 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:15 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:18 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.com]
Jan 16 21:20:18 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:18 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:19 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.info]
Jan 16 21:20:19 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:19 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:19 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [WARNING] Authentication failed for user [news@domainOnServer.info]
Jan 16 21:20:19 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] Logout.
Jan 16 21:20:19 hostnameWithoutDomain pure-ftpd: (?@77.121.111.87) [INFO] New connection from 77.121.111.87
Jan 16 21:20:20 hostnameWithoutDomain pure-ftpd: (?@93.74.149.209) [WARNING] Authentication failed for user [contact]
Jan 16 21:20:20 hostnameWithoutDomain pure-ftpd: (?@93.74.149.209) [INFO] Logout.

[mikeshinn]

Thank you for the log examples, can you update your system to the latest rules:

aum -u

Regarding your mail issue:

In the exim reject log I saw the reason, why I did not get the mails:
Code:
2014-01-16 20:32:02 H=localhost (notify.ossec.net) [127.0.0.1]:41582 sender verify fail for <asl@myhost.mydomain.com>: Unrouteable address
2014-01-16 20:32:02 H=localhost (notify.ossec.net) [127.0.0.1]:41582 F=<asl@myhost.mydomain.com> rejected RCPT <anything.offnetwork@myprovider.at>: Sender verify failed

That means your mail server is rejecting the email because of how your mail server is configured. It apparently it wants you to use a From: like from a domain that it thinks is routable, and for whatever reason the email address you are using your mail server thinks its not routable. This isnt caused by ASL, its your mail server thats causing that error in your mail servers logs.

Heres some links on cpanels forums about this error:

http://forums.cpanel.net/f43/sender-ver ... 13013.html

My advice would be to either change to using an email address that your mail server thinks is routable (no idea what that would be, maybe a domain on that server?), or configure your mail server to not require that from: lines sent from localhost require this (disable sender verification).

Please contact your mail server vendor for help configuring their software. I wouldnt want to steer you wrong and since its their software I'm sure they can tell you how to fix this problem. Basically you want to tell them you are trying to send an email from:whatever_email_address_you_used to:whatever_address_you used, and youre getting that error. Or use an email address your mail server supports. I wish I could tell you what to use, but clearly whatever you're using your mail server thinks its unroutable.

[noox]

Thanks for the detailed answer. As I wrote in the last sentence in the post above - email is working after I changed the From: to "root@...." (I usually get server notifications from this sender mail address anyway).

But I have some further problems. One with the pure-ftpd-Rules:

I now see the events for pure-ftpd. I saw three rules. 11302 seems to log every(?) single entry. Then there is 11306 which detects brute force attacks (multiple failed logins) and 11308 which is for Slow FTP brute force attacks.

IMHO there are two problems with these rules. The first one is, that they log every line - especially WARNING (is OK) and INFO (probably not). So also successfull logins or other INFO messages are treated as possible attack.

The second problem is, that the brute force rules do not distinguish between IPs. So the rules can block any IP with a successfull login if some other log entries for other IPs where found before.

Some Examples from the Security Events window:
INFO messages, differente IPs

Code: Select all

11:24:00	dorado	10	11306	
dorado pure-ftpd: (?@67.163.181.73) [WARNING] Authentication failed for user [domainOnServer3@domainOnServer3.com]
Jan 17 11:23:44 dorado pure-ftpd: (?@67.163.181.73) [INFO] New connection from 67.163.181.73
Jan 17 11:23:11 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:23:06 dorado pure-ftpd: (?@189.203.219.237) [INFO] New connection from 189.203.219.237
Jan 17 11:22:59 dorado pure-ftpd: (?@125.121.9.87) [WARNING] Authentication failed for user [userOnServer1]
Jan 17 11:22:55 dorado pure-ftpd: (?@125.121.9.87) [INFO] New connection from 125.121.9.87
Jan 17 11:22:51 dorado pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__dnttT21dpTGlCgqpfxSxbJqP6zBnZ4oEkrEIeIv1Qh11FblnwdFzfKJDARDhzJQl is now logged in
Jan 17 11:22:51 dorado pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1

Just different IPs:

Code: Select all

11:21:03	dorado	10	11308		dorado pure-ftpd: (?@202.179.10.34) [WARNING] Authentication failed for user [admin@domainOnServer2.com]
Jan 17 11:19:43 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:18:33 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:17:23 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:17:05 dorado pure-ftpd: (?@202.179.10.34) [WARNING] Authentication failed for user [admin@domainOnServer2.com]
Jan 17 11:16:14 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:15:05 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:13:39 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:12:03 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:10:54 dorado pure-ftpd: (?@202.179.10.34) [WARNING] Authentication failed for user [admin@domainOnServer2.com]
Jan 17 11:10:29 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]
Jan 17 11:08:55 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info

Info, different IPs, local connection:

Code: Select all

11:43:51	dorado	10	11308		dorado pure-ftpd: (?@118.71.117.237) [INFO] New connection from 118.71.117.237
Jan 17 11:43:47 dorado pure-ftpd: (?@118.71.117.237) [INFO] New connection from 118.71.117.237
Jan 17 11:42:55 dorado pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__Re8rp9iNCInjHvlMZuy2tqb4jnVe3ymmK6uoRMteX5ENxvR06_pS2eV3Ri7VwZXo is now logged in
Jan 17 11:42:55 dorado pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jan 17 11:37:55 dorado pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__U79pFDqgCvLY4b70_fhq9ZJ5oMpU7puUxtb5jIVrUYSVXzohTfPc5cSvm_qI2WfW is now logged in
Jan 17 11:37:54 dorado pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jan 17 11:34:52 dorado pure-ftpd: (?@202.179.10.34) [WARNING] Authentication failed for user [admin@domainOnServer4.com]
Jan 17 11:34:48 dorado pure-ftpd: (?@202.179.10.34) [INFO] New connection from 202.179.10.34
Jan 17 11:32:54 dorado pure-ftpd: (?@127.0.0.1) [INFO] __cpanel__service__auth__ftpd__uEEduQVUnWMsQohcqa8cqeB2klZtKmHweCqyqRkGNopoihE6Zv5u_aIaMz48clwE is now logged in
Jan 17 11:32:53 dorado pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jan 17 11:31:36 dorado pure-ftpd: (?@202.179.10.34) [WARNING] Authentication failed for user [admin@domainOnServer4.com]
Jan 17 11:31:31 dorado pure-ftpd: (?@202.179.10.34) [INFO] New connection from 202.179.10.34

Can you please check these Rules if there are some flaws in it. I assume only WARNINGs/Authentication failures should be logged in these rules? And the brute force rules only for the same IP.

[mikeshinn]

I'm not sure I understand what your issue is, but we definitely want to help you. Can you tell me what rule IDs are triggered for which log events? Because this is what your events trigger, and thats what they should trigger:

Jan 17 11:23:44 dorado pure-ftpd: (?@67.163.181.73) [INFO] New connection from 67.163.181.73

Rule id: '11301'
Level: '3'
Description: 'New FTP connection.'


Jan 17 11:23:11 dorado pure-ftpd: (?@189.203.219.237) [WARNING] Authentication failed for user [admin@domainOnServer1.info]

Rule id: '11302'
Level: '5'
Description: 'FTP Authentication failed.'

And since I dont know what events correspond to what rules in your examples, I cant speak to your questions on the brute force rules, can you provide examples for those?

Also, the fastest and best way to get help with this issue is to just click the false positive button in ASL which will send us everything we need in real time and we can help you much quicker. If you believe a rule is incorrectly reporting something, please click the false positive button. The forums really arent the most efficient way to get us the information we need, plus you wont have to edit your logs before you post them (and we really need to see the unedited logs, editing them can sometimes mangle them so much the parsers wont process them the same way they will with an unmangled log).

[mikeshinn]

I see you submitted to False Positives, and we just pushed updates for both of them. Can you update to the latest rules:

aum -u

And let us know if this addresses the issue.

[noox]

Thanks a lot!

It was a bit strange today. Had some different issus. For about one hour opening event details lasted 60 seconds (could not find slow database queries). But meanwhile everything is OK.

Also the rules 11302/11306/11308 behaved strange. 11302 did not trigger at all between 11:43 and 23:45 CET (=UTC+1) Since then I had no such event. 11306 combined multiple log lines (as it should) till 11:43. Then it worked like 11302 before 11:43. 11308 also triggered only till 11:43 CET.

So I have to wait till more suspicious pure-ftpd logins happen. Thanks!

But additionally I have one other problem: It seems like changing rules has no effect any more since yesterday. I changed e.g. "Email" from yes to no, the "Active Response" setting or the Severity. The dialog box remembered the setting. The rules where also listed in /etc/asl/rules. But I still get emails, the Security Events window ignores the changes and IPs did not get blocked. Is there any setting which could have caused this?

All in all it was a little confusing today

Then I just have to get the exim login attempts to trigger rules, but I'll look into that tomorrow.

[mikeshinn]

Can you open a case with support on this issue? That would be the quickest and most efficient way to help you with that.