BFM Brute Force Monitor notifications - weird behaviour - same IP - diff attack

Tootle

Verified User
Joined
Sep 1, 2011
Messages
39
Does anyone noticed such a behaviour:

I was notified of a first BF attempt (exim) "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"

I go to the DA webgui->BFM, it's all right, and it got banned by fail2ban, OK

but then, next hour I've got another BFM notification sayin "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"

I think: Hell, what? The very same banned ip? I go to the DA webgui->BFM and what i see? A proftpd BF attack from other IP

Code:
13736083210001	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:51:48 server proftpd[32592]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.56.79:21
13736083210000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:45:13 server proftpd[32433]: xxx.116.52.25 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.52.25:21
13736079610001	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:45:13 server proftpd[32433]: xxx.116.52.25 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.52.25:21
13736079610000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:20:44 server proftpd[31746]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.4.48:21
13736064610000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:20:44 server proftpd[31746]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.4.48:21
13736050810007	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:09:53 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810006	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:09:45 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810005	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:08:39 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810004	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:07:30 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810003	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:06:32 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810002	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:05:26 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810001	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:04:19 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810000	xxx.142.205.193	[email protected]	1	exim2	2013-07-12 06:03:08 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])

This happens from time to time but so often that I lost faith in this notification.
 
The correct notification was sent now, about 1h later after one another attempt from the same IP on ftp :
Code:
3736128210000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 09:04:48 server proftpd[32592]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.56.79:21
Brute-Force Attack detected in service log from IP(s) xxx.134.44.235

Summary: so the concept 'works' but I got 3 notify e-mails instead of 2, that 1 in the middle - is a false notify (which has an IP from previous BF attack)

What is more: the next BF attempt that I run for a test now: sends correct IP

That's my test BF attempt:
Code:
13736129410001	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:08:08 server proftpd[2230]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736129410000	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:08:01 server proftpd[2228]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810003	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:58 server proftpd[2225]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810002	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:53 server proftpd[2224]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810001	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:36 server proftpd[2220]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810000	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:33 server proftpd[2219]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21

And I've got DA notification e-mail with proper IP

Brute-Force Attack detected in service log from IP(s) xx.190.21.29 on User(s) anonymous
 
Last edited:
Back
Top