SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
56.157 looks like some attacker real ip. but what is, and from where, 122.14? :-O
my ftp server sit on real ip on one of network cards.
another one - yes - have a 122 network with "c" class mark, but i have at that time no .14 address in this my internal network, and in any way, why it appear in proftpd log? and in conjunction with 80.250.56.157 address ? :-O
Hm, really no any have ideas, why proftpd in logs write three ip for one subject, and what it can mean, and why there may appear some strange "grey" ip ? :-O
I looked into this earlier today but did not have any useful conclusions as I have not used proftpd in a very long time, so did not reply.
I found this page which has some info on the log format which may be helpful to you. I could not tell if it includes your specific log format but it does provide the format specifiers. Also here is a description of proftpd logging.
The 56.157 IP appears to be local to you, but I am sure you know that already. The only idea I had for the mystery 122 IP is maybe someone has access to your router and received that address via DHCP (wild guess), or maybe gave themselves the static address.
Do you have a VPN configured on your network, or running virtual machines which might account for the 122 address?
It might be helpful if you could provide a little more information on your interfaces and routing table, not sure I understand that from your description.
Last edited by astrogeek; 04-03-2016 at 03:49 AM.
Reason: Added url
I would suggest that you check back in all of your logs for similar occurrences. With so little information it is difficult to determine the issue. I would do the following:
Update my passwords with new passwords; I like to use this to pick my passwords
Investigate your network design to find any holes in your firewall
Determine if your VPN or Wireless AP are secure still
Look for compromised hosts on your network.
Switch to Sftp or FTPS, since clear text passwords are just asking for trouble
Consider moving the FTP/FTPs/Sftp daemon into a jail
Try running rkhunter or chkrootkit as a quick determination of compromise
BUT, with so little information all of my suggestions are just good security practices for public facing services.
I looked into this earlier today but did not have any useful conclusions as I have not used proftpd in a very long time, so did not reply.
I found this page which has some info on the log format which may be helpful to you. I could not tell if it includes your specific log format but it does provide the format specifiers. Also here is a description of proftpd logging.
The 56.157 IP appears to be local to you, but I am sure you know that already.
i am totally unsure about this, really - because there is no unternal routings from outer world to specific address in 122 network.
and looks by logs, that 56.157 address do some scanning or trying to some brute force for my services - on 110 port, on ftp there are attempts to connect with username "admin". really, sure, i do not have such account.
if my server have been already compromised, i think, there is no anymore such type of activities
but cant understand, why there appear 122.14 adress in logs.
i have wifi dhcp in that network, but its wpa2 with good password. try to monitor a bit wifi connections, but i am pretty sure, there are no "redunant" connections on my wifi router... try today dig bit more in logs today...
Quote:
The only idea I had for the mystery 122 IP is maybe someone has access to your router and received that address via DHCP (wild guess), or maybe gave themselves the static address.
Do you have a VPN configured on your network, or running virtual machines which might account for the 122 address?
It might be helpful if you could provide a little more information on your interfaces and routing table, not sure I understand that from your description.
no vpn, no virtual machines.
i send you my routing scheme in mail
2mralk3: thank you too for info and suggestions, but i very unsure about i have breaked up. try investigate bit more, albeit i not like very much spend time in that way...
ok, dig a bit around - found in a /var/log/secure file entries appear as they should be -
Mar 27 08:20:19 sten proftpd[5517]: connect from 80.250.56.157 (80.250.56.157)
Mar 27 08:20:49 sten proftpd[5521]: connect from 80.250.56.157 (80.250.56.157)
look again in proftpd logfile - there almost all connections, actually,
be preceed with 122.14 address.
found it in /etc/hosts . can't remember, why i was writed there, and when
an opportunistic, want to ask there - what is best practice to write there?
there is any demand really for write my linked for this server domainnames?
if yes - it is better to write with internal ip-s, or with external one for that server? ( this server have one real ip, for outer world, ans some internal, for internal NICs directed to my local, internal networks)
there, on that server, i have running bind with authoritative zones too, if it is important.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.