Sorry for the delay...
On 15 Jul 2014, at 8:06 pm, Colin Jack <co...@mainline.co.uk> wrote: > Hi Greg > > Any thoughts? > type=Single ptype=RegExp pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+proftpd\[\S+\]: \S+ \(\S+\[(\S+)\]\) - \S+ \S+ \(Login failed\): Incorrect password. desc=$0 action=event BLOCK, $2, proftpd-b4 This is the rule that is getting matched. Basically, its a FTP incorrect password in /var/log/secure .... Find out whats doing the FTP jobs with the bad password, and problem fixed :) Greg. > Thanks > > Colin > >> On 11 Jul 2014, at 10:17, "Colin Jack" <co...@mainline.co.uk> wrote: >> >> Hi Greg, >> >>> Check out /var/log/sec ... this is the log file for dfix2. Look for the IP >>> in that file >>> and send me details of what you find. That will help to understand why a >>> particular IP is getting blocked. >> >> Well here is a result (sort of) ... I've been blocked this morning and I >> haven't been near it! :) >> >> [root@server8 log]# cat sec |grep 84.23.16.59 >> Mon Jul 7 08:59:05 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4' >> Mon Jul 7 08:59:05 2014: BLOCK, 84.23.16.59, proftpd-b4 >> Mon Jul 7 08:59:05 2014: Executing shell command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Mon Jul 7 08:59:05 2014: Child 5201 created for command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Mon Jul 7 08:59:05 2014: Creating context 'BLOCK_84.23.16.59' >> Mon Jul 7 09:59:06 2014: Deleting stale context 'BLOCK_84.23.16.59' >> Mon Jul 7 09:59:06 2014: Creating event 'UNBLOCK, 84.23.16.59' >> Mon Jul 7 09:59:06 2014: Stale context 'BLOCK_84.23.16.59' deleted >> Mon Jul 7 09:59:06 2014: Executing shell command '/etc/apf/apf -u >> 84.23.16.59' >> Mon Jul 7 09:59:06 2014: Child 9279 created for command '/etc/apf/apf -u >> 84.23.16.59' >> Tue Jul 8 08:46:01 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4' >> Tue Jul 8 08:46:01 2014: BLOCK, 84.23.16.59, proftpd-b4 >> Tue Jul 8 08:46:01 2014: Executing shell command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Tue Jul 8 08:46:01 2014: Child 13833 created for command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Tue Jul 8 08:46:01 2014: Creating context 'BLOCK_84.23.16.59' >> Tue Jul 8 09:46:02 2014: Deleting stale context 'BLOCK_84.23.16.59' >> Tue Jul 8 09:46:02 2014: Creating event 'UNBLOCK, 84.23.16.59' >> Tue Jul 8 09:46:02 2014: Stale context 'BLOCK_84.23.16.59' deleted >> Tue Jul 8 09:46:02 2014: Executing shell command '/etc/apf/apf -u >> 84.23.16.59' >> Tue Jul 8 09:46:02 2014: Child 16611 created for command '/etc/apf/apf -u >> 84.23.16.59' >> Wed Jul 9 10:17:09 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4' >> Wed Jul 9 10:17:09 2014: BLOCK, 84.23.16.59, proftpd-b4 >> Wed Jul 9 10:17:09 2014: Executing shell command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Wed Jul 9 10:17:09 2014: Child 21518 created for command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Wed Jul 9 10:17:09 2014: Creating context 'BLOCK_84.23.16.59' >> Wed Jul 9 11:17:10 2014: Deleting stale context 'BLOCK_84.23.16.59' >> Wed Jul 9 11:17:10 2014: Creating event 'UNBLOCK, 84.23.16.59' >> Wed Jul 9 11:17:10 2014: Stale context 'BLOCK_84.23.16.59' deleted >> Wed Jul 9 11:17:10 2014: Executing shell command '/etc/apf/apf -u >> 84.23.16.59' >> Wed Jul 9 11:17:10 2014: Child 24716 created for command '/etc/apf/apf -u >> 84.23.16.59' >> Thu Jul 10 09:46:47 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4' >> Thu Jul 10 09:46:47 2014: BLOCK, 84.23.16.59, proftpd-b4 >> Thu Jul 10 09:46:47 2014: Executing shell command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Thu Jul 10 09:46:47 2014: Child 11206 created for command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Thu Jul 10 09:46:47 2014: Creating context 'BLOCK_84.23.16.59' >> Thu Jul 10 10:46:48 2014: Deleting stale context 'BLOCK_84.23.16.59' >> Thu Jul 10 10:46:48 2014: Creating event 'UNBLOCK, 84.23.16.59' >> Thu Jul 10 10:46:48 2014: Stale context 'BLOCK_84.23.16.59' deleted >> Thu Jul 10 10:46:48 2014: Executing shell command '/etc/apf/apf -u >> 84.23.16.59' >> Thu Jul 10 10:46:48 2014: Child 14658 created for command '/etc/apf/apf -u >> 84.23.16.59' >> Thu Jul 10 16:38:07 2014: Creating event 'WHITELIST, 84.23.16.59, ssh-w1' >> Thu Jul 10 16:38:07 2014: Creating context 'WHITELIST_84.23.16.59' >> Fri Jul 11 09:02:16 2014: Creating event 'BLOCK, 84.23.16.59, proftpd-b4' >> Fri Jul 11 09:02:16 2014: BLOCK, 84.23.16.59, proftpd-b4 >> Fri Jul 11 09:02:16 2014: Executing shell command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Fri Jul 11 09:02:16 2014: Child 3300 created for command '/etc/apf/apf -d >> 84.23.16.59 dFixblock2' >> Fri Jul 11 09:02:16 2014: Creating context 'BLOCK_84.23.16.59' >> >> Thanks >> >> Colin >> >> _______________________________________________ >> Blueonyx mailing list >> Blueonyx@mail.blueonyx.it >> http://mail.blueonyx.it/mailman/listinfo/blueonyx > > _______________________________________________ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx