How can I block these attacks? Code: Jan 11 13:23:24 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:23:26 server pure-ftpd: ([email protected]) [INFO] New connection from 205.244.148.43 Jan 11 13:23:27 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:23:29 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser] Jan 11 13:23:32 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:23:34 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser] Jan 11 13:23:43 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:23:45 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser] Jan 11 13:23:56 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:23:58 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser] Jan 11 13:24:12 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:24:14 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser] Jan 11 13:24:30 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:24:32 server pure-ftpd: ([email protected]) [INFO] New connection from 205.244.148.43 Jan 11 13:24:32 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:24:35 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser] Jan 11 13:24:41 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:24:42 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser] Jan 11 13:24:50 server pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Jan 11 13:24:58 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [tsinternetuser]
Install fail2ban /etc/fail2ban/jail.conf Code: # # FTP servers # [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/messages maxretry = 3 /etc/fail2ban/filter.d/pure-ftpd.conf Code: failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$ Restart your fail2ban
Is this really an attack? Has someone been trying to exploit something I have left open? I am getting this message on my box . . . Dec 12 23:56:36 server1 pure-ftpd: ([email protected]) [INFO] New connection from 74.113.89.114 Dec 12 23:56:36 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:56:40 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:56:40 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:56:44 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:56:44 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:56:52 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:56:53 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:56:53 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:56:53 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:57:05 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:57:05 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:57:10 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:57:10 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:57:20 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:57:20 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:57:28 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:57:28 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address Dec 12 23:57:39 server1 pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [Administrator] Dec 12 23:57:39 server1 pure-ftpd: ([email protected]) [INFO] PAM_RHOST enabled. Getting the peer address
I guess someone is trying to log into your FTP account. You should install fail2ban to block these attempts.
It is installed . . . I got fail2ban installed, but I am seeing a line already in this file: /etc/fail2ban/filter.d/pure-ftpd.conf similar to the one in this link. This is what it states: failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ It is slightly different . . . should I leave it in or remove it and replace it? sERGE
