Tootle
Verified User
- Joined
- Sep 1, 2011
- Messages
- 39
Does anyone noticed such a behaviour:
I was notified of a first BF attempt (exim) "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"
I go to the DA webgui->BFM, it's all right, and it got banned by fail2ban, OK
but then, next hour I've got another BFM notification sayin "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"
I think: Hell, what? The very same banned ip? I go to the DA webgui->BFM and what i see? A proftpd BF attack from other IP
This happens from time to time but so often that I lost faith in this notification.
I was notified of a first BF attempt (exim) "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"
I go to the DA webgui->BFM, it's all right, and it got banned by fail2ban, OK
but then, next hour I've got another BFM notification sayin "Brute-Force Attack detected in service log from IP(s) xxx.142.205.193"
I think: Hell, what? The very same banned ip? I go to the DA webgui->BFM and what i see? A proftpd BF attack from other IP
Code:
13736083210001 xxx.134.44.235 anonymous 1 proftpd1 Jul 12 07:51:48 server proftpd[32592]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.56.79:21
13736083210000 xxx.134.44.235 anonymous 1 proftpd1 Jul 12 07:45:13 server proftpd[32433]: xxx.116.52.25 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.52.25:21
13736079610001 xxx.134.44.235 anonymous 1 proftpd1 Jul 12 07:45:13 server proftpd[32433]: xxx.116.52.25 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.52.25:21
13736079610000 xxx.134.44.235 anonymous 1 proftpd1 Jul 12 07:20:44 server proftpd[31746]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.4.48:21
13736064610000 xxx.134.44.235 anonymous 1 proftpd1 Jul 12 07:20:44 server proftpd[31746]: xxx.116.4.48 (xxx.134.44.235[xxx.134.44.235]) - USER anonymous: no such user found from xxx.134.44.235 [xxx.134.44.235] to ::ffff:xxx.116.4.48:21
13736050810007 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:09:53 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810006 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:09:45 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810005 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:08:39 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810004 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:07:30 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810003 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:06:32 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810002 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:05:26 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810001 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:04:19 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
13736050810000 xxx.142.205.193 [email protected] 1 exim2 2013-07-12 06:03:08 login authenticator failed for (ylmf-pc) [xxx.142.205.193]: 535 Incorrect authentication data ([email protected])
This happens from time to time but so often that I lost faith in this notification.