Brute forcing attempts for sftp access?

thoresson

I'm trying to get sftp working, and since I don't succeed (seems like I can't figure out what password to use), I had a look at the log file.

Seems like there are a lot of brute force attempts going on. Is this a concern? Is Cloudron expect to add the IPs to a block list or similar?

2024-04-20T00:01:25.000Z 2024-04-20 00:01:25,325 sftp proftpd[95174] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session closed.
2024-04-20T00:01:25.000Z 2024-04-20 00:01:25,590 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_delay/0.7: no DelayOnEvent rules configured with "DelayTable none" in effect, disabling module<27>1 2024-04-20T00:01:25Z thoco sftp 1182875 sftp - 2024-04-20 00:01:25,590 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session opened.
2024-04-20T00:01:25.000Z 2024-04-20 00:01:25,590 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_ldap/2.9.5: LDAPGroups not configured, skipping LDAP-based group memberships
2024-04-20T00:01:27.000Z 101.42.49.98 UNKNOWN - [20/Apr/2024:00:01:27 +0000] "USER root" 331 -
2024-04-20T00:01:28.000Z 101.42.49.98 UNKNOWN - [20/Apr/2024:00:01:28 +0000] "USER root" 331 -
2024-04-20T00:01:29.000Z 2024-04-20 00:01:29,342 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): USER root (Login failed): Incorrect password<27>1 2024-04-20T00:01:29Z thoco sftp 1182875 sftp - 101.42.49.98 UNKNOWN - [20/Apr/2024:00:01:29 +0000] "PASS (hidden)" 530 -
2024-04-20T00:01:30.000Z 2024-04-20 00:01:30,084 sftp proftpd[95175] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session closed.
2024-04-20T00:01:30.000Z 2024-04-20 00:01:30,522 sftp proftpd[95176] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_ldap/2.9.5: LDAPGroups not configured, skipping LDAP-based group memberships
2024-04-20T00:01:30.000Z 2024-04-20 00:01:30,523 sftp proftpd[95176] 0.0.0.0 (101.42.49.98[101.42.49.98]): mod_delay/0.7: no DelayOnEvent rules configured with "DelayTable none" in effect, disabling module<27>1 2024-04-20T00:01:30Z thoco sftp 1182875 sftp - 2024-04-20 00:01:30,523 sftp proftpd[95176] 0.0.0.0 (101.42.49.98[101.42.49.98]): SSH2 session opened.

humptydumpty

I think fail2ban is needed for that https://docs.cloudron.io/security/#fail2ban

girish

@thoresson said in Brute forcing attempts for sftp access?:

I'm trying to get sftp working, and since I don't succeed (seems like I can't figure out what password to use), I had a look at the log file.

Have you see https://docs.cloudron.io/apps/#sftp-access already ?

thoresson

@girish Yes. And my usual password wasn’t working, but I could log in using an app password.

thoresson

Any reason fail2ban isn’t on by default?

girish

@thoresson Cloudron doesn't use fail2ban. Fail2ban reads and parses app logs. Integrating fail2ban with docker based file logging (sftp runs in docker) is quite brittle.

Cloudron has some hardcoded rate limits - https://docs.cloudron.io/security/#rate-limits . At some point we will move SFTP login to be key based instead of the current password based. sftpgo also has some interesting innovations where it supports OIDC, so we might switch to that even.

thoresson

So the best option for now is just letting them knock on the door? And perhaps check the logs every now and then and add IPs from there to the blacklist?

girish

@thoresson yes. If you have a Cloud firewall, you can also whitelist just your IP for port 222.