Pure-FTPD log floods

Discussion in 'Installation/Configuration' started by crypted, Jul 22, 2010.

  1. crypted

    crypted New Member

    Everyday, I have several thousand entries like the two I'm pasting here.

    Code:
    Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.

    Code:
    Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
    Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
    Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:37 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
    Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
    Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
    Jul 22 12:33:40 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
    Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
    Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41             
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]   
    Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41         
    Jul 22 12:33:46 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
    Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
    Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:48 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:49 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
    Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
    Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:51 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Not sure about the localhost IP address, but this other one just keeps flooding the server trying to connect.

    How would one stop this?

    I installed fail2ban and whatever else according to the Debian Lenny guide a few months ago.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats ok and as it should be. It is the automatic system check which verifies every 5 minutes that the services are online.
     
  3. crypted

    crypted New Member

    How about handling that massive attempt to bruteforce the system?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats not a massive attempt, thats the normal script kiddies. So nothing to get worried about if you have a password that consists of chars, and numbers and is long enough. If you have a few hundred login attemps per second, then its a brute force that might bring down our server.

    If you want to block this with fail2ban, take a look here:

    http://www.fail2ban.org/wiki/index.php/Pure-FTPd
     

Share This Page