On Sat, Jan 23, 2010 at 6:14 PM, madunix <madunix at gmail.com> wrote: > I noticed that my server has a lot ca. 1000x auth failure from > different alocated in China / Romania and Netherlands per day since 3 > days > It looks to me like somebody was trying to get into server by guessing > my password by brute force. > what would be the best to stop this attack and how? the server running > apache mysql and ftp > PORT STATE SERVICE > 21/tcp open ftp > 80/tcp open http > 443/tcp open https > 3306/tcp open mysql > ... > Jan 22 16:07:14 user vsftpd(pam_unix)[17462]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=195.95.228.150 > Jan 22 16:07:16 user vsftpd(pam_unix)[16737]: check pass; user unknown > Jan 22 16:07:16 user vsftpd(pam_unix)[16737]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=195.95.228.150 > Jan 22 16:07:17 user vsftpd(pam_unix)[17462]: check pass; user unknown > Jan 23 17:23:52 user vsftpd(pam_unix)[20524]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47 > Jan 23 17:23:55 user vsftpd(pam_unix)[20524]: check pass; user unknown > Jan 23 17:23:55 user vsftpd(pam_unix)[20524]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47 > Jan 23 17:23:59 user vsftpd(pam_unix)[20524]: check pass; user unknown > Jan 23 17:24:58 user vsftpd(pam_unix)[20524]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47 > Jan 23 00:37:47 user vsftpd(pam_unix)[1791]: check pass; user unknown > Jan 23 00:37:47 user vsftpd(pam_unix)[1791]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=217.23.14.168 > Jan 23 00:38:06 user vsftpd(pam_unix)[1791]: check pass; user unknown > Jan 23 00:38:06 user vsftpd(pam_unix)[1791]: authentication failure; > logname= uid=0 euid=0 tty= ruser= rhost=217.23.14.168 > ... > > Thanks > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > Maybe a brute force attack, try to install a HIDS like: APF/BFD: http://www.rfxn.com/projects/advanced-policy-firewall/ http://www.rfxn.com/projects/brute-force-detection/ Fail2ban: http://www.fail2ban.org/ Fail2ban is available in EPEL repos. HTH -- Athmane Madjoudj