0

Recently I receive an message from my ISP mentioning: "We have detected abuse from the IP address"

This message was send to us because a fail2ban application in some part of the world send an automatic message (I suppose it was automatic) to the ISP indicating the our IP what abusing FTP test.

My question is: Can this application wrongly detect an FTP test from ours server IP because someone else was faking an FTP test ?

This is the message the ISP received:

Mar 11 05:23:24 li244-67 sshd[10025]: Invalid user ftptest from xxx.xxx.xx.xxx
Mar 11 05:23:24 li244-67 sshd[10025]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xx.xxx
Mar 11 05:23:27 li244-67 sshd[10025]: Failed password for invalid user ftptest from xxx.xxx.xx.xxx port 47998 ssh2
Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151
Diego Quirós
  • 101

1 Answers1

2

Mar 11 05:23:24 li244-67 sshd[10025]: Invalid user ftptest from xxx.xxx.xx.xxx

The log excerpt shows that a connection attempt was made from the server with IP-address xxx.xxx.xx.xxx to log in to a server named "li244-67" with SSH (and not FTP) to a user account with the login name "ftptest" (and probably there were many other similar attempts with different password/username combinations.)

If that wasn't done by you or your users, then your server is probably compromised.
How do I deal with a compromised server?

HBruijn
  • 84,206
  • 24
  • 145
  • 224