Security Basics mailing list archives

blocking IPs for FTP server

From: "Ng, Edward B" <edward.ng () eds com>
Date: Mon, 20 Jan 2003 15:57:29 +1100

Hi Folks,

I run an FTP server on a public Linux box which is visible on the internet.
For the last few months, I have had "visitors" who basically attempt to open
multiple connections to the FTP server, and repeatedly try to login as
anonymous. I have ignored this till now, but lately the FTP server has been
shutting itself down because of too many simultaneous connections happening
at the same time by these anonymous attempts. I was wondering is there an
application out there which can do a temporary block on the IP of someone
who has tried to login to FTP too many times and failed? I am currently
running an iptables firewall, but I do not want IPs to be permanently
blocked, just say blocked for 24 hours and then allowed again.

Jan 12 14:36:21 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' 
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' 
Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. 
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' 
Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. 
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. 
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' 
Jan 12 14:36:22 warp proftpd[5076]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5077]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5078]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5079]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. 
Jan 12 14:36:22 warp proftpd[5080]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5081]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 
Jan 12 14:36:22 warp proftpd[5083]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. 

regards


Edward Ng

EDS Australia Pty. Ltd.
email : edward.ng () eds com

Current thread:

blocking IPs for FTP server Ng, Edward B (Jan 23)
- <Possible follow-ups>
- RE: blocking IPs for FTP server Ng, Edward B (Jan 24)
  - RE: blocking IPs for FTP server Rob Stevens (Jan 24)
- Re: blocking IPs for FTP server Michael Conroy (Jan 24)
- Re: blocking IPs for FTP server Chris Berry (Jan 24)