Possible DOS Attack

Discussion in 'Server Operation' started by Nilpo, Dec 11, 2013.

  1. Nilpo

    Nilpo Member HowtoForge Supporter

    I was doing some advanced configuring of fail2ban and I took a peek at /var/log/messages where I found thousands of these going back as far as my logs will go.
    Code:
    Dec  9 01:45:02 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:45:02 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:46:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:46:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:47:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:47:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:48:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:48:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:49:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:49:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:50:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:50:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:50:02 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:50:02 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:51:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:51:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:52:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:52:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:53:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:53:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:54:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:54:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    That got me wondering if mod_evasive was working so I decided to check with this:
    Code:
    cat /var/log/messages | grep -B 5 "mod_evasive"
    And the output:
    Code:
    # cat messages | grep -B 5 "mod_evasive"
    Dec  9 01:52:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:53:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:53:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:54:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 01:54:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 01:54:46 hostname mod_evasive[6996]: Blacklisting address 24.144.240.158: possible DoS attack.
    --
    Dec  9 11:30:02 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 11:31:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 11:31:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 11:32:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 11:32:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 11:32:42 hostname mod_evasive[21759]: Blacklisting address 70.39.246.37: possible DoS attack.
    --
    Dec  9 12:57:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 12:58:02 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 12:58:02 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 12:59:01 hostname pure-ftpd: ([email protected]::1) [INFO] New connection from ::1
    Dec  9 12:59:01 hostname pure-ftpd: ([email protected]::1) [INFO] Logout.
    Dec  9 12:59:06 hostname mod_evasive[611]: Blacklisting address 72.105.13.158: possible DoS attack.
    Should I be concerned? Suggestions on what I should do? Should I consider pushing FTP to a separate log file? As-is, messages is virtually unreadable.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This is no dos attack and nothing to be concerned about, it is the system check that tests if pure-ftpd is working correctly.
     
  3. Nilpo

    Nilpo Member HowtoForge Supporter

    It's checking once per minute, non-stop? Is there any way to limit logging of successful checks so that the log file is filled by it?

    I thought it was a bit odd there was no IP listed.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Otherwise it might recognize too late that a service is down.

    Btw. If this would have been a dos attack, then you would seen several connects per second.

    I dont think so.

    there is an IP listed. ::1 is the IPv6 equivalent of 127.0.0.1 aka. localhost
     

Share This Page