Pure-FTPD log floods

Discussion in 'Installation/Configuration' started by crypted, Jul 22, 2010.

  1. crypted

    crypted New Member

    Everyday, I have several thousand entries like the two I'm pasting here.

    Code:
    Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 14:45:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 14:50:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 14:55:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:00:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:05:02 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:10:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:15:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:20:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 22 15:25:01 my pure-ftpd: (?@127.0.0.1) [INFO] Logout.

    Code:
    Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
    Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
    Jul 22 12:33:36 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:37 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
    Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
    Jul 22 12:33:38 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
    Jul 22 12:33:40 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
    Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41                
    Jul 22 12:33:41 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41             
    Jul 22 12:33:43 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]   
    Jul 22 12:33:45 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41         
    Jul 22 12:33:46 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordoncom]
    Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
    Jul 22 12:33:47 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:48 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Jul 22 12:33:49 my pure-ftpd: (?@173.224.217.41) [WARNING] Authentication failed for user [derekgordon]
    Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] New connection from 173.224.217.41
    Jul 22 12:33:50 my pure-ftpd: (?@173.224.217.41) [INFO] PAM_RHOST enabled. Getting the peer address       
    Jul 22 12:33:51 my pure-ftpd: (?@173.224.217.41) [INFO] Logout.
    Not sure about the localhost IP address, but this other one just keeps flooding the server trying to connect.

    How would one stop this?

    I installed fail2ban and whatever else according to the Debian Lenny guide a few months ago.
     
  2. till

    till Super Moderator

    Thats ok and as it should be. It is the automatic system check which verifies every 5 minutes that the services are online.
     
  3. crypted

    crypted New Member

    How about handling that massive attempt to bruteforce the system?
     
  4. till

    till Super Moderator

    Thats not a massive attempt, thats the normal script kiddies. So nothing to get worried about if you have a password that consists of chars, and numbers and is long enough. If you have a few hundred login attemps per second, then its a brute force that might bring down our server.

    If you want to block this with fail2ban, take a look here:

    http://www.fail2ban.org/wiki/index.php/Pure-FTPd
     

Share This Page