Fail2Ban repeating ban/unban warnings

Discussion in 'ISPConfig 3 Priority Support' started by Fluotonic, May 9, 2013.

  1. Fluotonic

    Fluotonic Member

    Hi guys,

    I just noticed something streange and I'm a bit worried about it. Please look at this in my fail2ban.log :

    Code:
    2013-05-08 17:28:45,062 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168
    2013-05-08 17:38:45,709 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168
    2013-05-08 17:41:18,875 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168
    2013-05-08 17:51:19,518 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168
    2013-05-08 17:56:18,838 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168
    2013-05-08 18:06:19,482 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168
    2013-05-08 20:59:34,496 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168
    2013-05-08 21:09:35,142 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168
    2013-05-08 21:13:36,405 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168
    2013-05-08 21:23:37,049 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168
    2013-05-08 21:56:55,182 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168
    2013-05-08 22:06:55,828 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168
    This is a chinese IP and it looks like an attempt to enter my server, isn't it? Do I have to worry about this?

    Thanks!
     
  2. darinpeterson

    darinpeterson Member HowtoForge Supporter

    I'm no expert, but it looks like you're server is being attacked by an automated script from that IP address. The script is trying to ftp into your server.

    Does the sequence continue on, or has it stopped?
     
  3. Fluotonic

    Fluotonic Member

    Hi Darin,

    Yes it stopped. I would like to ban this IP though, just in case. How can I do that in ISPConfig?

    I'm having a problem with an IP I would like to unban on the other side. One of my clients can't connect on the FTP this time. How can I do that?

    This ban/unban thing is a bit obscure for me...

    Thanks for your help!
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The ban and unban is ok, its the purpose of fail2ban and the log file shows that it works as intended. Fail2ban bans a ip if there are too many failed login attemps from that ip and it eill unban the ip after some time to avoid that your users get blocked permanently. This is useful and nescessary this does not has to be an attack, it can simply be a normal ftp client were soeone entered a wrong password which tries to auto reconnect.

    Banning aind unbanning is done with iptables, so you can ban ips also manually. Your lient ip should already be unbanned as the ban time on your server is most likely 10 minutes.
     
  5. Fluotonic

    Fluotonic Member

    Hi Till,

    Thank you very much for this answer!

    No need for me to ban manually then? Seems awesome if it's automatic :)

    Thanks!
     
  6. falko

    falko Super Moderator ISPConfig Developer

    That's right! :)
     

Share This Page