For some background you may want to read the Original Story leading to this write up.

The first thing that caught my attention was the fact Logwatch was reported login failures in the order of 1000’s from unassigned.psychz.net without an accompanying fail2ban email notifying me the offender had been banned.

And this as it would turn out was because the attack was clearly intended to defeat such protection methods, this is due to the logged host being unassigned.psychz.net, when the authentication failure is logged, a reverse lookup is made within vsftpd to resolve the host this PTR record returns unassigned.psychz.net, and as such is written into the log.

fail2ban no uses regex to extract the host from the logs, and attempts to make a forward lookup on unassigned.psychz.net (A/CNAME records required) to resolve the ip address, and ban the offending ip, this is where things go awry.

psychz.net maintains their own DNS servers,

1. DNS1.PSYCHZ.NET
2. DNS2.PSYCHZ.NET

These provide a PTR but no A/CNAME record, as such fail2ban can not resolve an IP and the attacking ip is left to run their attack unhindered, see this log file: fail2ban name resolution failure log

The only way therefor to gain the attacking ip was to match the ftp connection times to those of the reported login failures using iptables to log all accesses to ftp, quickly get a count of connecting ip’s using:

grep kernel /var/log/messages | awk '{print $9}' | sed 's/SRC=//' | uniq -c | sort

390 173.224.217.41

A complete log can be found here: iptables.log, and a whois can be found here: whois.txt

Disclosure steps taken:

1. 26/07/10 psychz support informed given deadline of 09/08/10 for resolution
2. Same day standard reply of “thanks for contacting support we are looking into this” …
3. 27/07/0 Attacks continue 173.224.208.0/20 network black holed as a result

   iptables -A INPUT -s 173.224.208.0/20 -j DROP
   

4. 09/08/10 deadline passes without update
5. 25/08/10 this blog post published