Brute forcing attempts for sftp access?

thoresson · Apr 21, 2024, 2:44 PM

I'm trying to get sftp working, and since I don't succeed (seems like I can't figure out what password to use), I had a look at the log file.

Seems like there are a lot of brute force attempts going on. Is this a concern? Is Cloudron expect to add the IPs to a block list or similar?

2024-04-20T00:01:25.000Z 2024-04-20 00:01:25,325 sftp proftpd[95174] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session closed.
2024-04-20T00:01:25.000Z 2024-04-20 00:01:25,590 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_delay/0.7: no DelayOnEvent rules configured with "DelayTable none" in effect, disabling module<27>1 2024-04-20T00:01:25Z thoco sftp 1182875 sftp - 2024-04-20 00:01:25,590 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session opened.
2024-04-20T00:01:25.000Z 2024-04-20 00:01:25,590 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_ldap/2.9.5: LDAPGroups not configured, skipping LDAP-based group memberships
2024-04-20T00:01:27.000Z 101.42.49.98 UNKNOWN - [20/Apr/2024:00:01:27 +0000] "USER root" 331 -
2024-04-20T00:01:28.000Z 101.42.49.98 UNKNOWN - [20/Apr/2024:00:01:28 +0000] "USER root" 331 -
2024-04-20T00:01:29.000Z 2024-04-20 00:01:29,342 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): USER root (Login failed): Incorrect password<27>1 2024-04-20T00:01:29Z thoco sftp 1182875 sftp - 101.42.49.98 UNKNOWN - [20/Apr/2024:00:01:29 +0000] "PASS (hidden)" 530 -
2024-04-20T00:01:30.000Z 2024-04-20 00:01:30,084 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session closed.
2024-04-20T00:01:30.000Z 2024-04-20 00:01:30,522 sftp proftpd[95176] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_ldap/2.9.5: LDAPGroups not configured, skipping LDAP-based group memberships
2024-04-20T00:01:30.000Z 2024-04-20 00:01:30,523 sftp proftpd[95176] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_delay/0.7: no DelayOnEvent rules configured with "DelayTable none" in effect, disabling module<27>1 2024-04-20T00:01:30Z thoco sftp 1182875 sftp - 2024-04-20 00:01:30,523 sftp proftpd[95176] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session opened.

humptydumpty · wrote on Apr 20, 2024, 10:51 PM

I think fail2ban is needed for that https://docs.cloudron.io/security/#fail2ban

girish · Apr 21, 2024, 4:23 PM

@thoresson said in Brute forcing attempts for sftp access?:

I'm trying to get sftp working, and since I don't succeed (seems like I can't figure out what password to use), I had a look at the log file.

Have you see https://docs.cloudron.io/apps/#sftp-access already ?

thoresson · G girish Apr 21, 2024, 3:14 PM

@girish Yes. And my usual password wasn’t working, but I could log in using an app password.

thoresson · wrote on Apr 21, 2024, 4:24 PM

Any reason fail2ban isn’t on by default?

girish · wrote on Apr 21, 2024, 7:26 PM

@thoresson Cloudron doesn't use fail2ban. Fail2ban reads and parses app logs. Integrating fail2ban with docker based file logging (sftp runs in docker) is quite brittle.

Cloudron has some hardcoded rate limits - https://docs.cloudron.io/security/#rate-limits . At some point we will move SFTP login to be key based instead of the current password based. sftpgo also has some interesting innovations where it supports OIDC, so we might switch to that even.

thoresson · Apr 21, 2024, 7:57 PM

So the best option for now is just letting them knock on the door? And perhaps check the logs every now and then and add IPs from there to the blacklist?

girish · wrote on Apr 22, 2024, 5:57 AM

@thoresson yes. If you have a Cloud firewall, you can also whitelist just your IP for port 222.

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

Brute forcing attempts for sftp access?