BFM Brute Force Monitor notifications - weird behaviour - same IP - diff attack

Tootle

Verified User
Joined
Sep 1, 2011
Messages
38
Does anyone noticed such a behaviour:

I was notified of a first BF attempt (exim) "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"

I go to the DA webgui->BFM, it's all right, and it got banned by fail2ban, OK

but then, next hour I've got another BFM notification sayin "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"

I think: Hell, what? The very same banned ip? I go to the DA webgui->BFM and what i see? A proftpd BF attack from other IP

Code:
13736083210001	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:51:48 server proftpd[32592]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.56.79:21
13736083210000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:45:13 server proftpd[32433]: xxx.116.52.25 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.52.25:21
13736079610001	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:45:13 server proftpd[32433]: xxx.116.52.25 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.52.25:21
13736079610000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:20:44 server proftpd[31746]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.4.48:21
13736064610000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 07:20:44 server proftpd[31746]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.4.48:21
13736050810007	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:09:53 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
13736050810006	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:09:45 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
13736050810005	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:08:39 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
13736050810004	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:07:30 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
13736050810003	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:06:32 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
13736050810002	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:05:26 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
13736050810001	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:04:19 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
13736050810000	xxx.142.205.193	forwardtest456@duanirishmusic.com	1	exim2	2013-07-12 06:03:08 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data (set_id=forwardtest456@duanirishmusic.com)
This happens from time to time but so often that I lost faith in this notification.
 

Tootle

Verified User
Joined
Sep 1, 2011
Messages
38
The correct notification was sent now, about 1h later after one another attempt from the same IP on ftp :
Code:
3736128210000	xxx.134.44.235	anonymous	1	proftpd1	Jul 12 09:04:48 server proftpd[32592]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.56.79:21
Brute-Force Attack detected in service log from IP(s) xxx.134.44.235

Summary: so the concept 'works' but I got 3 notify e-mails instead of 2, that 1 in the middle - is a false notify (which has an IP from previous BF attack)

What is more: the next BF attempt that I run for a test now: sends correct IP

That's my test BF attempt:
Code:
13736129410001	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:08:08 server proftpd[2230]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736129410000	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:08:01 server proftpd[2228]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810003	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:58 server proftpd[2225]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810002	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:53 server proftpd[2224]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810001	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:36 server proftpd[2220]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
13736128810000	xx.190.21.29	anonymous	1	proftpd1	Jul 12 09:07:33 server proftpd[2219]: xxx.116.4.48 (xx.190.21.29[xx.190.21.29]) - USER anonymous: no such user found from xx.190.21.29 [xx.190.21.29] to ::ffff:xxx.116.4.48:21
And I've got DA notification e-mail with proper IP

Brute-Force Attack detected in service log from IP(s) xx.190.21.29 on User(s) anonymous
 
Last edited:
Top