fail2ban.server : ERROR Unexpected communication error

roy-arne · 04-05-2009, 12:44 PM

Hi,
I have a random set port number on my ftp. Still I'm struggeling with a verry high numbers of connections against my ftp. They hit every secound. I've encrypted my ftp, and no anonymus ftp is allowed. I've enabled iptables and fail2ban. But when I start fail2ban and check the log files it's full of this error:

fail2ban.server : ERROR Unexpected communication error

Have anyone seen that before?

roy-arne · 04-05-2009, 03:13 PM

Happy to any suggestions about how to get the hammering on my ftpserver to stop.

saman007uk · 04-05-2009, 06:45 PM

What do you mean by "encrypted FTP"? Did you mean that you are using SFTP instead?

Are you starting fail2ban as root? Try increasing the loglevel in the fail2ban configuration. That should give you soem more ifnromation on that error.

To stop the attacks, you could change the port that FTP is listetning to. Alternatively, you could use iptables to limit FTP connection rates to no more than 2 in a certain time, say 10 minutes:

Code:

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent \
  --update --seconds 600 --hitcount 2 -j DROP

roy-arne · 04-12-2009, 04:22 PM

Quote:

Originally Posted by saman007uk

What do you mean by "encrypted FTP"? Did you mean that you are using SFTP instead?

Are you starting fail2ban as root? Try increasing the loglevel in the fail2ban configuration. That should give you soem more ifnromation on that error.

To stop the attacks, you could change the port that FTP is listetning to. Alternatively, you could use iptables to limit FTP connection rates to no more than 2 in a certain time, say 10 minutes:

Code:

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent \
  --update --seconds 600 --hitcount 2 -j DROP

With encrypted I mean that I use TLS encryption.

I tried increasing the loglevel, but I got the same error, It did not give me any other hints.

I tried doing what you suggested with iptables. But still there is alot of connections against me. Why do you think changing the port will help? They are obviously port scanning me?

saman007uk · 04-12-2009, 04:43 PM

Try reinstalling fail2ban.

If you are getting many connections to FTP, it obviosuly is not a port scan - since port scans by definion SCANS against a range of ports. What you are describing is a brute force attack.