ConfigServer Community Forum

Posted: **17 Apr 2015, 17:36**

Just a quick note here; I noticed that while LFD was blocking some pure-ftpd bruteforce attempts, there were still times when my server was getting hammered repeatedly. Pure-ftpd logs in /var/log/messages, and the bruteforce attempts that were not being blocked looked like:

Code: Select all

Apr 13 23:41:32 brightstar pure-ftpd: (?@84-241-32-107.shatel.ir) [INFO] New connection from 84-241-32-107.shatel.ir

Of course with pure-ftpd resolving hostnames rather than just reporting IP addresses, there's no way for LFD to know which IP address to block. I echoed "yes" to /etc/pure-ftpd/conf/DontResolve, restarted pure-ftpd, and I believe this will allow LFD to catch all ftp login attempts, not just the ones for which pure-ftpd wasn't able to get a hostname.

I searched for "DontResolve" and nothing came up so I hope this tip helps someone.

Posted: **28 Apr 2015, 19:50**

I continue to get hammered by log entries like these:

Apr 28 13:45:07 server5 pure-ftpd: (?@94.122.168.197) [INFO] New connection from 94.122.168.197
Apr 28 13:45:13 server5 pure-ftpd: (?@94.122.168.197) [WARNING] Authentication failed for user [admin@domain.com]

What am I missing???

I'm getting seriously hit thousands of times.

Apr 29 13:31:22 server5 pure-ftpd: (?x116.100.138.219) [INFO] Logout.
Apr 29 13:31:22 server5 pure-ftpd: (?x116.100.138.219) [INFO] New connection from 116.100.138.219
Apr 29 13:31:23 server5 pure-ftpd: (?x116.100.138.219) [WARNING] Authentication failed for user [domain.com]
Apr 29 13:31:24 server5 pure-ftpd: (?x116.100.138.219) [INFO] Logout.

In an attempt to resolve this problem, I've installed bfd to watch pureftpd

ConfigServer Community Forum

Enabling "DontResolve" in pure-ftpd

Enabling "DontResolve" in pure-ftpd

Re: Enabling "DontResolve" in pure-ftpd