I was doing some advanced configuring of fail2ban and I took a peek at /var/log/messages where I found thousands of these going back as far as my logs will go. Code: Dec 9 01:45:02 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:45:02 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:46:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:46:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:47:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:47:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:48:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:48:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:49:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:49:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:50:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:50:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:50:02 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:50:02 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:51:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:51:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:52:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:52:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:53:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:53:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:54:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:54:01 hostname pure-ftpd: (?@::1) [INFO] Logout. That got me wondering if mod_evasive was working so I decided to check with this: Code: cat /var/log/messages | grep -B 5 "mod_evasive" And the output: Code: # cat messages | grep -B 5 "mod_evasive" Dec 9 01:52:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:53:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:53:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:54:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 01:54:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 01:54:46 hostname mod_evasive[6996]: Blacklisting address 24.144.240.158: possible DoS attack. -- Dec 9 11:30:02 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 11:31:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 11:31:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 11:32:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 11:32:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 11:32:42 hostname mod_evasive[21759]: Blacklisting address 70.39.246.37: possible DoS attack. -- Dec 9 12:57:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 12:58:02 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 12:58:02 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 12:59:01 hostname pure-ftpd: (?@::1) [INFO] New connection from ::1 Dec 9 12:59:01 hostname pure-ftpd: (?@::1) [INFO] Logout. Dec 9 12:59:06 hostname mod_evasive[611]: Blacklisting address 72.105.13.158: possible DoS attack. Should I be concerned? Suggestions on what I should do? Should I consider pushing FTP to a separate log file? As-is, messages is virtually unreadable.
This is no dos attack and nothing to be concerned about, it is the system check that tests if pure-ftpd is working correctly.
It's checking once per minute, non-stop? Is there any way to limit logging of successful checks so that the log file is filled by it? I thought it was a bit odd there was no IP listed.
Yes. Otherwise it might recognize too late that a service is down. Btw. If this would have been a dos attack, then you would seen several connects per second. I dont think so. there is an IP listed. ::1 is the IPv6 equivalent of 127.0.0.1 aka. localhost
