PDA

View Full Version : How do I block this?

dclardy
11th January 2010, 20:27
How can I block these attacks?

Jan 11 13:23:24 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:23:26 server pure-ftpd: (?@205.244.148.43) [INFO] New connection from 205.244.148.43
Jan 11 13:23:27 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:23:29 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
Jan 11 13:23:32 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:23:34 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
Jan 11 13:23:43 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:23:45 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
Jan 11 13:23:56 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:23:58 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
Jan 11 13:24:12 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:24:14 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
Jan 11 13:24:30 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:24:32 server pure-ftpd: (?@205.244.148.43) [INFO] New connection from 205.244.148.43
Jan 11 13:24:32 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:24:35 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
Jan 11 13:24:41 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:24:42 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
Jan 11 13:24:50 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
Jan 11 13:24:58 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
HyperAtom
11th January 2010, 20:59
Use fail2ban
dclardy
11th January 2010, 21:01
What is the configuration method needed? What do I enable?
HyperAtom
11th January 2010, 21:07
Install fail2ban

/etc/fail2ban/jail.conf

#
# FTP servers
#

[pure-ftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/messages
maxretry = 3

/etc/fail2ban/filter.d/pure-ftpd.conf

failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$

Restart your fail2ban
sergio.morales
13th December 2010, 06:03
Has someone been trying to exploit something I have left open? I am getting this message on my box . . .

Dec 12 23:56:36 server1 pure-ftpd: (?@74.113.89.114) [INFO] New connection from 74.113.89.114
Dec 12 23:56:36 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:56:40 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:56:40 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:56:44 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:56:44 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:56:52 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:56:53 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:56:53 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:56:53 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:57:05 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:57:05 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:57:10 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:57:10 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:57:20 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:57:20 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:57:28 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:57:28 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
Dec 12 23:57:39 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
Dec 12 23:57:39 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
falko
14th December 2010, 16:37
I guess someone is trying to log into your FTP account. You should install fail2ban to block these attempts.
sergio.morales
14th December 2010, 22:16
I got fail2ban installed, but I am seeing a line already in this file:

/etc/fail2ban/filter.d/pure-ftpd.conf

similar to the one in this link. This is what it states:


failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$


It is slightly different . . . should I leave it in or remove it and replace it?

sERGE
falko
15th December 2010, 16:55
If you don't see any errors in the fail2ban log in the /var/log/ directory, leave it as it is.