OVH Community, votre nouvel espace communautaire.

tentatives connexion pure-ftpd suspectes


doc_denis
28/04/2014, 17h37
Bonjour,
...il faut un premier à te répondre.
étrange ton fail2ban, si il est bien configuré il aurait du agir sur cette attaque dans le cas présent ça ce passe sur 2mn et ...rien.

quelques pistes au cas où (peut-être déjà vues) :
http://www.howtoforge.com/forums/showthread.php?t=40177
http://ubuntuforums.org/showthread.php?t=1326636

j'ai rechercher des pistes avec "fail2ban pure-ftpd" faut peut-être ajouter à cette recherche le nom de ta distrib pour être plus proche de la réponse.
@+

marl
28/04/2014, 15h21
Bonjour à tous,

Dans les logs, je vois des centaines de lignes :

Code:
Apr 28 14:22:06 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:06 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:22:14 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [info]
Apr 28 14:22:14 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:22:14 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:14 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:22:20 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [sales]
Apr 28 14:22:20 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:22:20 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:20 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:22:26 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [e-premium-load]
Apr 28 14:22:26 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:22:26 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:26 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:22:34 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [e-premium-load.biz]
Apr 28 14:22:34 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:22:34 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:34 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:22:41 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [admin]
Apr 28 14:22:43 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:43 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:22:43 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:22:50 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [root]
Apr 28 14:22:50 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:22:50 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:50 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:22:57 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [administrator]
Apr 28 14:22:57 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:22:57 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:22:57 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:04 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [Oracle]
Apr 28 14:23:05 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:05 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:05 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:10 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [user]
Apr 28 14:23:10 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:10 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:10 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:17 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [test]
Apr 28 14:23:17 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:17 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:17 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:23 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [info]
Apr 28 14:23:23 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:23 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:23 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:30 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [sales]
Apr 28 14:23:30 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:30 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:30 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:37 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [e-premium-load]
Apr 28 14:23:37 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:37 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:37 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:42 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [e-premium-load.biz]
Apr 28 14:23:43 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:43 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:43 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:49 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [admin]
Apr 28 14:23:49 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Apr 28 14:23:49 server1 pure-ftpd: (?@213.232.94.134) [INFO] New connection from 213.232.94.134
Apr 28 14:23:49 server1 pure-ftpd: (?@213.232.94.134) [INFO] PAM_RHOST enabled. Getting the peer address
Apr 28 14:23:55 server1 pure-ftpd: (?@213.232.94.134) [WARNING] Authentication failed for user [root]
Apr 28 14:23:55 server1 pure-ftpd: (?@213.232.94.134) [INFO] Logout.
Qu'en pensez-vous ?

Au prochain scan fail2ban, je pense que l'ip sera emprisonné ... le problème c'est que dans l'intervalle mon VPS a planté, je ne sais pas si c'est une coïncidence. La mémoire a été saturée , j'ai dû rebooté la vm !

Merci de vos avis ...