[BlueOnyx:15676] Re: Dfix2/APF problem

Greg Kuhnert gkuhnert at compassnetworks.com.au
Thu Jul 17 15:47:56 -05 2014 

Sorry for the delay...


On 15 Jul 2014, at 8:06 pm, Colin Jack <colin at mainline.co.uk> wrote:

> Hi Greg 
> 
> Any thoughts?
> 

type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+proftpd\[\S+\]: \S+ \(\S+\[(\S+)\]\) - \S+ \S+ \(Login failed\): Incorrect password.
desc=$0
action=event BLOCK, $2, proftpd-b4

This is the rule that is getting matched. Basically, its a FTP incorrect password in /var/log/secure .... Find out whats doing the FTP jobs with the bad password, and problem fixed :)

Greg.

> Thanks
> 
> Colin
> 
>> On 11 Jul 2014, at 10:17, "Colin Jack" <colin at mainline.co.uk> wrote:
>> 
>> Hi Greg,
>> 
>>> Check out /var/log/sec ... this is the log file for dfix2. Look for the IP in that file
>>> and send me details of what you find. That will help to understand why a
>>> particular IP is getting blocked.
>> 
>> Well here is a result (sort of) ... I've been blocked this morning and I haven't been near it! :)
>> 
>> [root at server8 log]# cat sec |grep 84.23.16.59
>> Mon Jul  7 08:59:05 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4'
>> Mon Jul  7 08:59:05 2014: BLOCK, 84.23.16.59, proftpd-b4
>> Mon Jul  7 08:59:05 2014: Executing shell command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Mon Jul  7 08:59:05 2014: Child 5201 created for command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Mon Jul  7 08:59:05 2014: Creating context 'BLOCK_84.23.16.59'
>> Mon Jul  7 09:59:06 2014: Deleting stale context 'BLOCK_84.23.16.59'
>> Mon Jul  7 09:59:06 2014: Creating event 'UNBLOCK, 84.23.16.59'
>> Mon Jul  7 09:59:06 2014: Stale context 'BLOCK_84.23.16.59' deleted
>> Mon Jul  7 09:59:06 2014: Executing shell command '/etc/apf/apf -u 84.23.16.59'
>> Mon Jul  7 09:59:06 2014: Child 9279 created for command '/etc/apf/apf -u 84.23.16.59'
>> Tue Jul  8 08:46:01 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4'
>> Tue Jul  8 08:46:01 2014: BLOCK, 84.23.16.59, proftpd-b4
>> Tue Jul  8 08:46:01 2014: Executing shell command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Tue Jul  8 08:46:01 2014: Child 13833 created for command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Tue Jul  8 08:46:01 2014: Creating context 'BLOCK_84.23.16.59'
>> Tue Jul  8 09:46:02 2014: Deleting stale context 'BLOCK_84.23.16.59'
>> Tue Jul  8 09:46:02 2014: Creating event 'UNBLOCK, 84.23.16.59'
>> Tue Jul  8 09:46:02 2014: Stale context 'BLOCK_84.23.16.59' deleted
>> Tue Jul  8 09:46:02 2014: Executing shell command '/etc/apf/apf -u 84.23.16.59'
>> Tue Jul  8 09:46:02 2014: Child 16611 created for command '/etc/apf/apf -u 84.23.16.59'
>> Wed Jul  9 10:17:09 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4'
>> Wed Jul  9 10:17:09 2014: BLOCK, 84.23.16.59, proftpd-b4
>> Wed Jul  9 10:17:09 2014: Executing shell command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Wed Jul  9 10:17:09 2014: Child 21518 created for command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Wed Jul  9 10:17:09 2014: Creating context 'BLOCK_84.23.16.59'
>> Wed Jul  9 11:17:10 2014: Deleting stale context 'BLOCK_84.23.16.59'
>> Wed Jul  9 11:17:10 2014: Creating event 'UNBLOCK, 84.23.16.59'
>> Wed Jul  9 11:17:10 2014: Stale context 'BLOCK_84.23.16.59' deleted
>> Wed Jul  9 11:17:10 2014: Executing shell command '/etc/apf/apf -u 84.23.16.59'
>> Wed Jul  9 11:17:10 2014: Child 24716 created for command '/etc/apf/apf -u 84.23.16.59'
>> Thu Jul 10 09:46:47 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4'
>> Thu Jul 10 09:46:47 2014: BLOCK, 84.23.16.59, proftpd-b4
>> Thu Jul 10 09:46:47 2014: Executing shell command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Thu Jul 10 09:46:47 2014: Child 11206 created for command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Thu Jul 10 09:46:47 2014: Creating context 'BLOCK_84.23.16.59'
>> Thu Jul 10 10:46:48 2014: Deleting stale context 'BLOCK_84.23.16.59'
>> Thu Jul 10 10:46:48 2014: Creating event 'UNBLOCK, 84.23.16.59'
>> Thu Jul 10 10:46:48 2014: Stale context 'BLOCK_84.23.16.59' deleted
>> Thu Jul 10 10:46:48 2014: Executing shell command '/etc/apf/apf -u 84.23.16.59'
>> Thu Jul 10 10:46:48 2014: Child 14658 created for command '/etc/apf/apf -u 84.23.16.59'
>> Thu Jul 10 16:38:07 2014: Creating event 'WHITELIST, 84.23.16.59, ssh-w1'
>> Thu Jul 10 16:38:07 2014: Creating context 'WHITELIST_84.23.16.59'
>> Fri Jul 11 09:02:16 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4'
>> Fri Jul 11 09:02:16 2014: BLOCK, 84.23.16.59, proftpd-b4
>> Fri Jul 11 09:02:16 2014: Executing shell command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Fri Jul 11 09:02:16 2014: Child 3300 created for command '/etc/apf/apf -d 84.23.16.59 dFixblock2'
>> Fri Jul 11 09:02:16 2014: Creating context 'BLOCK_84.23.16.59'
>> 
>> Thanks
>> 
>> Colin
>> 
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20140718/74d4658e/attachment.html>

More information about the Blueonyx mailing list