Navigation

crypted · #1 22nd July 2010, 21:41

Everyday, I have several thousand entries like the two I'm pasting here.

Code:

Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.

Code:

Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:37 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
Jul 22 12:33:40 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41             
Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]   
Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41         
Jul 22 12:33:46 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:48 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
Jul 22 12:33:49 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
Jul 22 12:33:51 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.

Not sure about the localhost IP address, but this other one just keeps flooding the server trying to connect.

How would one stop this?

I installed fail2ban and whatever else according to the Debian Lenny guide a few months ago.

till · #2 22nd July 2010, 22:15

Quote:

Not sure about the localhost IP address

Thats ok and as it should be. It is the automatic system check which verifies every 5 minutes that the services are online.

crypted · #3 22nd July 2010, 22:24

How about handling that massive attempt to bruteforce the system?

till · #4 22nd July 2010, 22:30

Thats not a massive attempt, thats the normal script kiddies. So nothing to get worried about if you have a password that consists of chars, and numbers and is long enough. If you have a few hundred login attemps per second, then its a brute force that might bring down our server.

If you want to block this with fail2ban, take a look here:

http://www.fail2ban.org/wiki/index.php/Pure-FTPd

Navigation

Facebook

News

Recent comments

Newsletter