ProFTPd log very active!

manny2008 · Feb 25, 2006

Hi, here is just a few lines of the ProFTPd log file. Should I block this IP 84.170.202.68, how can I do it!

ProFTPd [26998] 84.170.202.68 [25/Feb/2006:14:11:45 -0800] "PASS (hidden)" 230
ProFTPd [26999] 84.170.202.68 [25/Feb/2006:14:11:45 -0800] "PASS (hidden)" 230
ProFTPd [26997] 84.170.202.68 [25/Feb/2006:14:11:45 -0800] "PASS (hidden)" 230
ProFTPd [27000] 84.170.202.68 [25/Feb/2006:14:11:48 -0800] "USER anonymous" 331
ProFTPd [27001] 84.170.202.68 [25/Feb/2006:14:11:48 -0800] "USER anonymous" 331
ProFTPd [27002] 84.170.202.68 [25/Feb/2006:14:11:48 -0800] "USER anonymous" 331
ProFTPd [27003] 84.170.202.68 [25/Feb/2006:14:11:48 -0800] "USER anonymous" 331
ProFTPd [27000] 84.170.202.68 [25/Feb/2006:14:11:49 -0800] "PASS (hidden)" 230
ProFTPd [27001] 84.170.202.68 [25/Feb/2006:14:11:49 -0800] "PASS (hidden)" 230
ProFTPd [27002] 84.170.202.68 [25/Feb/2006:14:11:49 -0800] "PASS (hidden)" 230
ProFTPd [27003] 84.170.202.68 [25/Feb/2006:14:11:49 -0800] "PASS (hidden)" 230
ProFTPd [27004] 84.170.202.68 [25/Feb/2006:14:11:51 -0800] "USER anonymous" 331
ProFTPd [27005] 84.170.202.68 [25/Feb/2006:14:11:51 -0800] "USER anonymous" 331
ProFTPd [27006] 84.170.202.68 [25/Feb/2006:14:11:51 -0800] "USER anonymous" 331
ProFTPd [27007] 84.170.202.68 [25/Feb/2006:14:11:51 -0800] "USER anonymous" 331
ProFTPd [27004] 84.170.202.68 [25/Feb/2006:14:11:52 -0800] "PASS (hidden)" 230
ProFTPd [27005] 84.170.202.68 [25/Feb/2006:14:11:52 -0800] "PASS (hidden)" 230
ProFTPd [27006] 84.170.202.68 [25/Feb/2006:14:11:52 -0800] "PASS (hidden)" 230
ProFTPd [27007] 84.170.202.68 [25/Feb/2006:14:11:52 -0800] "PASS (hidden)" 230
ProFTPd [27008] 84.170.202.68 [25/Feb/2006:14:11:54 -0800] "USER anonymous" 331
ProFTPd [27009] 84.170.202.68 [25/Feb/2006:14:11:54 -0800] "USER anonymous" 331
ProFTPd [27010] 84.170.202.68 [25/Feb/2006:14:11:54 -0800] "USER anonymous" 331
ProFTPd [27011] 84.170.202.68 [25/Feb/2006:14:11:54 -0800] "USER anonymous" 331
ProFTPd [27008] 84.170.202.68 [25/Feb/2006:14:11:55 -0800] "PASS (hidden)" 230

nobaloney · Feb 25, 2006

Usually one machine tries for a while, then another machine tries.

If you see the same IP# trying over and over again, put the IP# into your /etc/hosts.deny file and restart proftpd.

Jeff

cybercavern · Apr 19, 2006

I am seeing the same thing on my proftpd/auth.log. On this log does it track attempts or does this mean that someone connected?

ProFTPd [13159] 213.54.87.157 [18/Apr/2006:19:03:32 -0500] "USER anonymous" 331

ProFTPd log very active!

manny2008

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

cybercavern

Verified User