#1  
Old 22nd July 2010, 21:41
crypted crypted is offline
Senior Member
 
Join Date: Dec 2006
Location: Oklahoma, USA
Posts: 429
Thanks: 3
Thanked 14 Times in 6 Posts
Default Pure-FTPD log floods

Everyday, I have several thousand entries like the two I'm pasting here.

Code:
Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.

Code:
Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:37 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
Jul 22 12:33:40 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41             
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]   
Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41         
Jul 22 12:33:46 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:48 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:49 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:51 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Not sure about the localhost IP address, but this other one just keeps flooding the server trying to connect.

How would one stop this?

I installed fail2ban and whatever else according to the Debian Lenny guide a few months ago.
Reply With Quote
Sponsored Links
  #2  
Old 22nd July 2010, 22:15
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,403
Thanks: 834
Thanked 5,494 Times in 4,325 Posts
Default

Quote:
Not sure about the localhost IP address
Thats ok and as it should be. It is the automatic system check which verifies every 5 minutes that the services are online.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 22nd July 2010, 22:24
crypted crypted is offline
Senior Member
 
Join Date: Dec 2006
Location: Oklahoma, USA
Posts: 429
Thanks: 3
Thanked 14 Times in 6 Posts
Default

How about handling that massive attempt to bruteforce the system?
Reply With Quote
  #4  
Old 22nd July 2010, 22:30
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,403
Thanks: 834
Thanked 5,494 Times in 4,325 Posts
 
Default

Thats not a massive attempt, thats the normal script kiddies. So nothing to get worried about if you have a password that consists of chars, and numbers and is long enough. If you have a few hundred login attemps per second, then its a brute force that might bring down our server.

If you want to block this with fail2ban, take a look here:

http://www.fail2ban.org/wiki/index.php/Pure-FTPd
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Problems wabz Installation/Configuration 6 11th January 2010 18:51
Unable to receve email aberrio Server Operation 16 8th July 2009 10:26
slow download through webserver problem snewp Technical 14 9th May 2008 05:25
Outlook does not Authenticates aberrio Server Operation 30 1st November 2007 19:21
No ftp login for ispconfig-webuser agri Installation/Configuration 12 19th March 2007 10:06


All times are GMT +2. The time now is 18:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.