On Tue, Nov 2, 2010 at 09:34, Justin V. <[email protected]> wrote: > Hi, > > Would this be considered bruteforce??
Yes > > This goes on and on: > > > Nov 2 05:42:19 yeaguy pure-ftpd: ([email protected]) [WARNING] > Authentication failed for user [Administrator] > Nov 2 05:42:53 yeaguy last message repeated 3 times [...] > > My sshgaurd config: Something isn't set up right if you are getting that many attempts - it should kill them right away: Nov 1 10:47:51 peridot sshd[77847]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:53 peridot sshd[77967]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:54 peridot sshd[78123]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:56 peridot sshd[78228]: reverse mapping checking getaddrinfo for 178-238-137-213.hostnoc.eu [178.238.137.213] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 1 10:47:56 peridot sshguard[49177]: Blocking 178.238.137.213:4 for >420secs: 4 failures over 5 seconds. Do you have the syslog.conf part set up as well as the pf part? I've only used it for ssh but something like the following needs to be there: auth.info;authpriv.info |exec /usr/local/sbin/sshguard > yeaguy# nslookup a214.amber.fastwebserver.de > Server: 10.1.1.1 > Address: 10.1.1.1#53 > > Non-authoritative answer: > Name: a214.amber.fastwebserver.de > Address: 217.79.189.214 > I wouldn't waste your time trying to find out who they are - just block and move on. That site is probably a shared web hosting account that was compromised by a bad php script - even if you successfully complain (assuming it is a legit hoster that cares) and they do something about it, there are thousands more. -- Rob Farmer _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
