[Zimwy]

Hello,
I run a web/file/ftp/mail server on os 10.2.6. I'm sortof new at this. I was browsing my system.log file, and came across these three lines:

Oct 3 03:38:04 Gregorian-B-140 xinetd[353]: START: ftp pid=1366 from=172.190.174.80
Oct 3 11:53:04 Gregorian-B-140 xinetd[353]: START: ftp pid=1392 from=81.50.105.99
Oct 4 01:32:59 Gregorian-B-140 xinetd[353]: START: ftp pid=1433 from=172.176.228.16

I'm Gregorian-B-140. I have no idea who 81.50.105.99, 172.190.174.80 and 172.176.228.16 are. What does it mean "START: ftp pid=1336"? Does it mean they tried to connect to my ftp server? Do programs like snort tell me when things like this happen? It seems like there'd be an easier way to find out about failed login attempts than browsing logs.

Nervously Yours,
Gabe

[fitter]

The START lines just mean someone tried to connect. Those IP addresses resolve to ACBEAE50.ipt.aol.com, ABordeaux-103-1-22-99.w81-50.abo.wanadoo.fr and ACB0E410.ipt.aol.com. If you see EXIT log messages, it means they were on. Check /var/log/secure.log to see if there are authentication failure messages.

I recommend stopping use of ftp anyway: all passwords are cleartext, and can easily sniffed. Use sftp instead.

[Zimwy]

Hey,
Thanks for the reply. Here's what I have in var/log/secure.log:

Jul 1 21:29:21 localhost ftpd[1322]: FTP LOGIN FAILED FROM acb98f18.ipt.aol.com, anonymous
Jul 4 17:01:23 localhost ftpd[1606]: FTP LOGIN FAILED FROM adijon-101-1-2-240.w193-252.abo.wanadoo.fr, anonymous
Jul 12 22:03:24 localhost ftpd[2395]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, user
Jul 12 22:03:24 localhost ftpd[2396]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, user
Jul 12 22:03:25 localhost ftpd[2401]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, guest
Jul 12 22:03:25 localhost ftpd[2402]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, guest
Jul 12 22:03:32 localhost ftpd[2404]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, root
Jul 12 22:03:32 localhost ftpd[2403]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, root
Jul 26 00:28:37 localhost ftpd[3410]: FTP LOGIN FAILED FROM adijon-101-1-3-214.w217-128.abo.wanadoo.fr, anonymous

Since those are completely different dates, it means that they haven't gotten in yet? Would a program like snort make me more alert of these things? Is there a good place to learn how to use it? Or any other security software you recommend?

Thanks a lot,
Gabe

[Partisan01]

Originally posted by Zimwy:
Hey,
Thanks for the reply. Here's what I have in var/log/secure.log:

Jul 1 21:29:21 localhost ftpd[1322]: FTP LOGIN FAILED FROM acb98f18.ipt.aol.com, anonymous
Jul 4 17:01:23 localhost ftpd[1606]: FTP LOGIN FAILED FROM adijon-101-1-2-240.w193-252.abo.wanadoo.fr, anonymous
Jul 12 22:03:24 localhost ftpd[2395]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, user
Jul 12 22:03:24 localhost ftpd[2396]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, user
Jul 12 22:03:25 localhost ftpd[2401]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, guest
Jul 12 22:03:25 localhost ftpd[2402]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, guest
Jul 12 22:03:32 localhost ftpd[2404]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, root
Jul 12 22:03:32 localhost ftpd[2403]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, root
Jul 26 00:28:37 localhost ftpd[3410]: FTP LOGIN FAILED FROM adijon-101-1-3-214.w217-128.abo.wanadoo.fr, anonymous

Since those are completely different dates, it means that they haven't gotten in yet? Would a program like snort make me more alert of these things? Is there a good place to learn how to use it? Or any other security software you recommend?

Thanks a lot,
Gabe

Looks like random people tried to connect and failed. Not a problem in itself. If you are running a public ftp server for some reason then this should be of no concern for you. If you do not intend to run an ftp server then this could be a problem.

I would recommend using scp instead of ftp. Ftp sends your password over the network in clear text, so anyone sniffing the network can see it. If you are on a secured trusted network use at your own discretion, but since strangers were able to connect to your box it doesn't sound like that. Scp is a file transfer protocol for ssh (secure shell), what this means is that your username/password, and all your data is encrypted, so it's much safer. Also an advantage to scp is that you only need to have port 22 open, which is the ssh port, scp runs over port 22. If you've never heard of it, I'd recommend doing a google on it, and turning FTP off right away. FTP has so many security holes in it you could drive a school bus through them. And patching doesn't help, it's the way the protocol was designed, was not designed with security in mind.

Hope this helps.

Nate

[Zimwy]

Hi,
Thanks for the info. I actually use SCP a lot, but I had FTP up for friends who aren't so computer literate. Okay, now that I know there isn't a big current problem, I'd like to know how I can see things like this happening in a much more real time. I've looked through other logs too and noticed people trying to run scripts on my web server that aren't there, things like that. Are there programs I can use that can email me if false logins are detected or things like that? Any advice?

Thanks,
gabe

[kampl]

Swatch should be able to handle what you are looking to monitor.

[Partisan01]

Originally posted by Zimwy:
Hi,
Thanks for the info. I actually use SCP a lot, but I had FTP up for friends who aren't so computer literate. Okay, now that I know there isn't a big current problem, I'd like to know how I can see things like this happening in a much more real time. I've looked through other logs too and noticed people trying to run scripts on my web server that aren't there, things like that. Are there programs I can use that can email me if false logins are detected or things like that? Any advice?

Thanks,
gabe

If you have an extra box you can put on the pipe install a snort monitor on it. You don't need anything fancy at all, an old mac, or an old pc, even a 486 would do. All this computer does is passivly monitor your network and record anything suspicious, and then you can view the results in a real time monitor if you want. You can install the monitor on your server, but that is not advised at all. head out to http://www.snort.org for more info. It's a very powerful program. Have fun, let us know what you decide to do.

Nate

[utidjian]

Originally posted by Zimwy:
Hey,
Thanks for the reply. Here's what I have in var/log/secure.log:

Jul 1 21:29:21 localhost ftpd[1322]: FTP LOGIN FAILED FROM acb98f18.ipt.aol.com, anonymous
Jul 4 17:01:23 localhost ftpd[1606]: FTP LOGIN FAILED FROM adijon-101-1-2-240.w193-252.abo.wanadoo.fr, anonymous
Jul 12 22:03:24 localhost ftpd[2395]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, user
Jul 12 22:03:24 localhost ftpd[2396]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, user
Jul 12 22:03:25 localhost ftpd[2401]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, guest
Jul 12 22:03:25 localhost ftpd[2402]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, guest
Jul 12 22:03:32 localhost ftpd[2404]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, root
Jul 12 22:03:32 localhost ftpd[2403]: FTP LOGIN FAILED FROM pd9520a2d.dip.t-dialin.net, root
Jul 26 00:28:37 localhost ftpd[3410]: FTP LOGIN FAILED FROM adijon-101-1-3-214.w217-128.abo.wanadoo.fr, anonymous

Since those are completely different dates, it means that they haven't gotten in yet? Would a program like snort make me more alert of these things? Is there a good place to learn how to use it? Or any other security software you recommend?

You can simply run (in a terminal) things like:

tail -f /var/log/secure.log
tail -f /var/log/system.log

Part of your problem... and it would be a problem for configuring something like swatch... is you need to know what to look for. In the above secure.log file you have some failed attempts to log in to your ftp server as root, as guest, and as user. Those are the only really interesting ones as they came from the same IP and they are so close together it looks like some sort of script is doing it. Most ftp servers are set up by default to refuse root user access, and if they aren't they damn well should be.

Best solution, in my opinion, is to NOT have an ftp server running at all. Educate your users: If they are using Windows they can use WinSCP, Mac users can use MacSSH, NiftyTelnet, Fugu. See:
http://www.openssh.org/windows.html
for more info. Unix users can figure it out for themselves. You can even leave the FTP server up but all it does is return a message that tells the users where to get a proper SCP client.

If your users are just downloading stuff then you could leave it up as an anonymous server only and don't allow uploads. The bad part for them... and eventually for you, is that if they use ftp to access the server and use their userid and password, they can (and will) eventually get sniffed.

[Rainy Day]

Turn off ftp now and change all passwords to accounts which had ftp access. Use sftp or, if you must, ftp through an ssh tunnel.

Allowing downloading via anonymous FTP, as utidjian indicated, is okay.

[benb]

Dude, tone down the sig.

[kampl]

Originally posted by utidjian:
You can simply run (in a terminal) things like:

tail -f /var/log/secure.log
tail -f /var/log/system.log

Part of your problem... and it would be a problem for configuring something like swatch... is you need to know what to look for. In the above secure.log file you have some failed attempts to log in to your ftp server as root, as guest, and as user. Those are the only really interesting ones as they came from the same IP and they are so close together it looks like some sort of script is doing it. Most ftp servers are set up by default to refuse root user access, and if they aren't they damn well should be.

Best solution, in my opinion, is to NOT have an ftp server running at all. Educate your users: If they are using Windows they can use WinSCP, Mac users can use MacSSH, NiftyTelnet, Fugu. See:
http://www.openssh.org/windows.html
for more info. Unix users can figure it out for themselves. You can even leave the FTP server up but all it does is return a message that tells the users where to get a proper SCP client.

If your users are just downloading stuff then you could leave it up as an anonymous server only and don't allow uploads. The bad part for them... and eventually for you, is that if they use ftp to access the server and use their userid and password, they can (and will) eventually get sniffed.

While I concede to the fact that scp or sftp would be a better solution from a credentials security standpoint, I don't see a whole lot of benefit tailing logs on a console all day with a watchful eye for failed attempts. There are ways to automate this since he/she already displayed what insight is needed in addition to the fact that most people can not sit there monitoring a single system constantly.

Moving along, ciphered versions of file transfer apps aren't always a viable solution in that users can tend to be a bit "slow" even with comprehensive instructions. That's just the way it is; user education is a difficult venture at best. Granted, if you make a directory or more world writable anonymously you risk DoS, but that is what quotas are for. In addition I do not know of any current vulnerabilites in the FTP server installed in the current OS X revision so there should not be a show stopping root sploit out there. Of course any server daemon runs the same risk as any other in so far as exploitation. Recent SSH sploits come to mind.

So in the end, you run the risk of being compromised as soon as you choose to provide Internet facing services. The key is to minimize those risks as much as possible while maintaining monitoring of some sort that will illustrate whether or not there is some event occuring or that has occured that requires attention from the administrator.