Hi guys, I just noticed something streange and I'm a bit worried about it. Please look at this in my fail2ban.log : Code: 2013-05-08 17:28:45,062 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168 2013-05-08 17:38:45,709 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168 2013-05-08 17:41:18,875 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168 2013-05-08 17:51:19,518 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168 2013-05-08 17:56:18,838 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168 2013-05-08 18:06:19,482 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168 2013-05-08 20:59:34,496 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168 2013-05-08 21:09:35,142 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168 2013-05-08 21:13:36,405 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168 2013-05-08 21:23:37,049 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168 2013-05-08 21:56:55,182 fail2ban.actions: WARNING [pureftpd] Ban 61.160.213.168 2013-05-08 22:06:55,828 fail2ban.actions: WARNING [pureftpd] Unban 61.160.213.168 This is a chinese IP and it looks like an attempt to enter my server, isn't it? Do I have to worry about this? Thanks!
I'm no expert, but it looks like you're server is being attacked by an automated script from that IP address. The script is trying to ftp into your server. Does the sequence continue on, or has it stopped?
Hi Darin, Yes it stopped. I would like to ban this IP though, just in case. How can I do that in ISPConfig? I'm having a problem with an IP I would like to unban on the other side. One of my clients can't connect on the FTP this time. How can I do that? This ban/unban thing is a bit obscure for me... Thanks for your help!
The ban and unban is ok, its the purpose of fail2ban and the log file shows that it works as intended. Fail2ban bans a ip if there are too many failed login attemps from that ip and it eill unban the ip after some time to avoid that your users get blocked permanently. This is useful and nescessary this does not has to be an attack, it can simply be a normal ftp client were soeone entered a wrong password which tries to auto reconnect. Banning aind unbanning is done with iptables, so you can ban ips also manually. Your lient ip should already be unbanned as the ban time on your server is most likely 10 minutes.
Hi Till, Thank you very much for this answer! No need for me to ban manually then? Seems awesome if it's automatic Thanks!