hi @till, my pureftp log confims that my ispconfig control panel is successfully breached with ftpchk3 attack as mentioned. i am not successful in installing neither sftp nor ftps. so kindy advise me on how to prevent further attacks.
This is really unlikely as there is not even an FTP user to access ISPConfig nor can you add such a user in ISPconfig. I guess you mix up ISPConfig with one of your websites here. Please post the log file. Both are installed and enabled in any ISPConfig standard setup when you followed one of the perfect server guides. If you did not install it, then reread the perfect server guide and install all software as described there.
May be my wording is not correct. What i meant to say is two websites configured under ISPcontrol panel. Sorry if i have confused you. I have earlier turned pure-ftp verbose mode to on. cat /var/log/messages | grep 52.178.111.127 [CODE} Jan 12 00:59:41 server1 pure-ftpd: ([email protected]) [INFO] New connection from 52.178.113.127 Jan 12 00:59:42 server1 pure-ftpd: ([email protected]) [INFO] client2ftpaccount1 is now logged in Jan 12 00:59:46 server1 pure-ftpd: ([email protected]) [INFO] Logout. Jan 12 01:00:38 server1 pure-ftpd: ([email protected]) [INFO] New connection from 52.178.113.127 Jan 12 01:00:38 server1 pure-ftpd: ([email protected]) [INFO] client2ftpaccount5 is now logged in Jan 12 01:00:39 server1 pure-ftpd: ([email protected]) [INFO] Logout. Jan 12 01:01:42 server1 pure-ftpd: ([email protected]) [INFO] New connection from 52.178.113.127 Jan 12 01:01:42 server1 pure-ftpd: ([email protected]) [INFO] client2ftpaccount5 is now logged in Jan 12 01:01:43 server1 pure-ftpd: ([email protected]) [INFO] Logout. Jan 12 01:12:46 server1 pure-ftpd: ([email protected]) [INFO] New connection from 52.178.113.127 Jan 12 01:12:47 server1 pure-ftpd: ([email protected]) [INFO] client2ftpaccount1 is now logged in Jan 12 01:12:47 server1 pure-ftpd: ([email protected]) [INFO] Logout. Jan 12 02:46:45 server1 pure-ftpd: ([email protected]) [INFO] New connection from 52.178.113.127 Jan 12 02:46:45 server1 pure-ftpd: ([email protected]) [INFO] New connection from 52.178.113.127 Jan 12 02:46:46 server1 pure-ftpd: ([email protected]) [INFO] client2ftpaccount5 is now logged in Jan 12 02:46:46 server1 pure-ftpd: ([email protected]) [INFO] client2ftpaccount1 is now logged in Jan 12 02:46:54 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /docs: No such file or directory Jan 12 02:46:54 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /docs: No such file or directory Jan 12 02:46:54 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /domains: No such file or directory Jan 12 02:46:55 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /domains: No such file or directory Jan 12 02:46:55 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /content: No such file or directory Jan 12 02:46:55 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /content: No such file or directory Jan 12 02:46:56 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /ftp_pub: No such file or directory Jan 12 02:46:56 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /ftp_pub: No such file or directory Jan 12 02:46:56 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /htdocs: No such file or directory Jan 12 02:46:57 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /htdocs: No such file or directory Jan 12 02:46:57 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /html: No such file or directory Jan 12 02:46:58 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /html: No such file or directory Jan 12 02:46:58 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /httpdocs: No such file or directory Jan 12 02:46:59 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /httpdocs: No such file or directory Jan 12 02:46:59 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /pages: No such file or directory Jan 12 02:47:00 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /pages: No such file or directory Jan 12 02:47:01 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /PUB: No such file or directory Jan 12 02:47:01 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /PUB: No such file or directory Jan 12 02:47:02 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /public: No such file or directory Jan 12 02:47:02 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /public: No such file or directory Jan 12 02:47:03 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /public_html: No such file or directory Jan 12 02:47:04 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /public_html: No such file or directory Jan 12 02:47:05 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /root: No such file or directory Jan 12 02:47:05 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /root: No such file or directory Jan 12 02:47:06 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /site: No such file or directory Jan 12 02:47:07 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /site: No such file or directory Jan 12 02:47:08 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /sites: No such file or directory Jan 12 02:47:08 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /sites: No such file or directory Jan 12 02:47:10 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /subdomains: No such file or directory Jan 12 02:47:10 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /subdomains: No such file or directory Jan 12 02:47:16 server1 pure-ftpd: ([email protected]) [NOTICE] /var/www/clients/client2/web7//web/ftpchk3.php uploaded (1692 bytes, 6.83KB/sec) Jan 12 02:47:16 server1 pure-ftpd: ([email protected]) [NOTICE] /var/www/clients/client2/web8//web/ftpchk3.php uploaded (1692 bytes, 6.93KB/sec) Jan 12 02:47:18 server1 pure-ftpd: ([email protected]) [NOTICE] Deleted /var/www/clients/client2/web8//web/ftpchk3.php Jan 12 02:47:18 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /webroot: No such file or directory Jan 12 02:47:19 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /webseiten: No such file or directory Jan 12 02:47:19 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /website: No such file or directory Jan 12 02:47:20 server1 pure-ftpd: ([email protected]) [NOTICE] Deleted /var/www/clients/client2/web7//web/ftpchk3.php Jan 12 02:47:20 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /webroot: No such file or directory Jan 12 02:47:20 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /www: No such file or directory Jan 12 02:47:20 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /webseiten: No such file or directory Jan 12 02:47:21 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /wwwroot: No such file or directory Jan 12 02:47:21 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /website: No such file or directory Jan 12 02:47:22 server1 pure-ftpd: ([email protected]) [INFO] Logout. Jan 12 02:47:22 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /www: No such file or directory Jan 12 02:47:22 server1 pure-ftpd: ([email protected]) [INFO] Can't change directory to /wwwroot: No such file or directory Jan 12 02:47:23 server1 pure-ftpd: ([email protected]) [INFO] Logout. [/CODE} i have followed the perfect server setup and since i was not able to connect ftp server with sftp or ftps, i assumed that it is not configured. now i double checked whether the config steps are intact, they are all correct and intact.
The log shows access to a website and not ISPConfig as I guessed, so there is no breach in ISPConfig. There are several possibilities why this could have happened, the most likely ones are: - A weak password was used. - The password was used in an insecure environment e.g. internet cafe or a system which logs passwords. - The desktop computer where the password was used has a virus or trojan. - The same password is used for several services as well. - The password was used over a insecure network without using TLS. Ok, fine. Then you should take care to enable tls in your FTP client when connecting to the server and use complex and secure passwords which aren't used for other things. And check the desktop where you use the FTP client for viruses. Regarding SFTP: SFTP is not FTP, it is SSH so it would require to add a dhell user in ISPConfig and not an FTP user. But using FTP over TLS is secure as well, so that's what I recommend you to use.
hi @till, I assume that its because of ... - The password was used over a insecure network without using TLS .. and a combination of some other reason. As mentioned in my previous post (link mentioned), I am not able to connect with FTP over TLS on Filezilla. How to troubleshoot that. My client is using Hostgator FTP from the same personal computer for many years over now without any problems. The only difference between their FTP server and ours as far as I can see is TLS. So i would like to start troubleshooting from there.
@till Thanks for the help. Here is the log Code: Status: Disconnected from server Status: Resolving address of example.com Status: Connecting to xx.xx.xxx.xxx:21... Status: Connection established, waiting for welcome message... Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- Response: 220-You are user number 5 of 50 allowed. Response: 220-Local time is now 11:16. Server port: 21. Response: 220-This is a private system - No anonymous login Response: 220-IPv6 connections are also welcome on this server. Response: 220 You will be disconnected after 15 minutes of inactivity. Command: AUTH TLS Error: Connection timed out after 20 seconds of inactivity Error: Could not connect to server Status: Waiting to retry... Status: Resolving address of example.com Status: Connecting to xx.xx.xxx.xxx:21... Status: Connection established, waiting for welcome message... Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- Response: 220-You are user number 6 of 50 allowed. Response: 220-Local time is now 11:16. Server port: 21. Response: 220-This is a private system - No anonymous login Response: 220-IPv6 connections are also welcome on this server. Response: 220 You will be disconnected after 15 minutes of inactivity. Command: AUTH TLS Error: Connection timed out after 20 seconds of inactivity Error: Could not connect to server
the above does not seems to be very useful. so i tested at ftptest here are the results Code: Status: Resolving address of clientsite1.com Status: Connecting to xx.xx.xxx.xxx Warning: The entered address does not resolve to an IPv6 address. Status: Connected, waiting for welcome message... Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- Reply: 220-You are user number 2 of 50 allowed. Reply: 220-Local time is now 12:31. Server port: 21. Reply: 220-This is a private system - No anonymous login Reply: 220-IPv6 connections are also welcome on this server. Reply: 220 You will be disconnected after 15 minutes of inactivity. Command: CLNT https://ftptest.net on behalf of yy.yyy.yyyy.yy Reply: 530 You aren't logged in Command: AUTH TLS Reply: 234 AUTH TLS OK. Status: Performing TLS handshake... Status: TLS handshake successful, verifying certificate... Status: Received 2 certificates from server. Status: cert[0]: subject='CN=server1.example.com' issuer='C=US,O=Let\27s Encrypt,CN=Let\27s Encrypt Authority X3' Status: cert[1]: subject='C=US,O=Let\27s Encrypt,CN=Let\27s Encrypt Authority X3' issuer='O=Digital Signature Trust Co.,CN=DST Root CA X3' Command: USER client2sitename Reply: 331 User client2sitename OK. Password required Command: PASS **************** Reply: 230 OK. Current restricted directory is / Command: SYST Reply: 215 UNIX Type: L8 Command: FEAT Reply: 211-Extensions supported: Reply: EPRT Reply: IDLE Reply: MDTM Reply: SIZE Reply: MFMT Reply: REST STREAM Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; Reply: MLSD Reply: AUTH TLS Reply: PBSZ Reply: PROT Reply: UTF8 Reply: ESTA Reply: PASV Reply: EPSV Reply: SPSV Reply: ESTP Reply: 211 End. Command: PBSZ 0 Reply: 200 PBSZ=0 Command: PROT P Reply: 200 Data protection level set to "private" Command: PWD Reply: 257 "/" is your current location Status: Current path is / Command: TYPE I Reply: 200 TYPE is now 8-bit binary Command: PASV Reply: 227 Entering Passive Mode (45,76,177,132,58,56) Command: MLSD Status: Data connection established, performing TLS handshake... Reply: 150 Accepted data connection Status: TLS handshake successful, verifying certificate... Status: Received 2 certificates from server. Status: cert[0]: subject='CN=server1.example.com' issuer='C=US,O=Let\27s Encrypt,CN=Let\27s Encrypt Authority X3' Status: cert[1]: subject='C=US,O=Let\27s Encrypt,CN=Let\27s Encrypt Authority X3' issuer='O=Digital Signature Trust Co.,CN=DST Root CA X3' Status: TLS session of transfer connection has been resumed. Listing: type=cdir;sizd=4096;modify=20171121094401;UNIX.mode=0755;UNIX.uid=0;UNIX.gid=0;unique=fe01ga0ea1; . Listing: type=pdir;sizd=4096;modify=20171121094401;UNIX.mode=0755;UNIX.uid=0;UNIX.gid=0;unique=fe01ga0ea1; .. Listing: type=dir;sizd=4096;modify=20171121094401;UNIX.mode=0700;UNIX.uid=5021;UNIX.gid=5007;unique=fe01gc0057; .ssh Listing: type=dir;sizd=4096;modify=20171121094401;UNIX.mode=0755;UNIX.uid=5021;UNIX.gid=5007;unique=fe01gc0054; cgi-bin Listing: type=dir;sizd=4096;modify=20180114013510;UNIX.mode=0755;UNIX.uid=0;UNIX.gid=0;unique=fe01gc0059; log Listing: type=dir;sizd=4096;modify=20171121094401;UNIX.mode=0710;UNIX.uid=5021;UNIX.gid=5007;unique=fe01gc0058; private Listing: type=dir;sizd=4096;modify=20171121094401;UNIX.mode=0755;UNIX.uid=0;UNIX.gid=0;unique=fe01ga0ed3; ssl Listing: type=dir;sizd=4096;modify=20171121094401;UNIX.mode=0770;UNIX.uid=5021;UNIX.gid=5007;unique=fe01gc0055; tmp Listing: type=dir;sizd=24576;modify=20171121100411;UNIX.mode=0711;UNIX.uid=5021;UNIX.gid=5007;unique=fe01gc0050; web Listing: type=dir;sizd=4096;modify=20171121094401;UNIX.mode=0710;UNIX.uid=5021;UNIX.gid=5007;unique=fe01gc0056; webdav Reply: 226-Options: -a -l Reply: 226 10 matches total Status: Success Results Your server is working and assorted routers/firewalls have been correctly configured for explicit FTP over TLS as performed by this test. However there have been warnings about compatibility issues, not all users will be able to use your server. For maximum compatibility, consider resolving these warnings. Server details Host: clientsite1.com Port: 21 Username: client2sitename Password: ******** Protocol: explicit FTP over TLS
The log from ftptest looks fine, no errors and TLS is working. so maybe there is a problem with the FTP client on your server or you use a firewall or similar softwarethat blocks the tls connection. Try to use a different FTP client on your desktop, e.g. the FireFTP plugin for the Firefox browser.
