Security Basics mailing list archives
RE: blocking IPs for FTP server
From: "Ng, Edward B" <edward.ng () eds com>
Date: Fri, 24 Jan 2003 11:51:44 +1100
Hi Rob, Thanks for the suggestions, I am using RH 7.2 and ProFTP 1.25 . I have considered using Portsentry. However, won't it detect legitimate users as intruders? All my users have usernames and passwords, however I do have a virtual server on one IP which has anonymous access. But the people who have been hammering me literally try all the IPs that the server is visible on and can sometimes end up holding too many open connections. I have recently restricted the server to a max of 3 open connections per host (which has helped!), but I feel that it would be nice if I can find a way to detect that someone has been trying so often that he can't be a legitimate user and then ban him for a while. In fact, lately some of these guys have been trying on my IMAP and SMTP ports also. I actually have qmail running and have webmail capability, so these guys know I have a live server, but they seem to be trying a form of brute force guessing game to try to get in. -----Original Message----- From: Rob Stevens [mailto:rob () linuxgawd com] Sent: Friday, 24 January 2003 4:54 AM To: Ng, Edward B Subject: RE: blocking IPs for FTP server Edward, What distrobution are you using on the FTP server? You may want to use portsentry and setup a cronjob to flush the IP addresses once a day or something like that. -----Original Message----- From: Ng, Edward B [mailto:edward.ng () eds com] Sent: January 19, 2003 11:57 PM To: security-basics () securityfocus com Subject: blocking IPs for FTP server Hi Folks, I run an FTP server on a public Linux box which is visible on the internet. For the last few months, I have had "visitors" who basically attempt to open multiple connections to the FTP server, and repeatedly try to login as anonymous. I have ignored this till now, but lately the FTP server has been shutting itself down because of too many simultaneous connections happening at the same time by these anonymous attempts. I was wondering is there an application out there which can do a temporary block on the IP of someone who has tried to login to FTP too many times and failed? I am currently running an iptables firewall, but I do not want IPs to be permanently blocked, just say blocked for 24 hours and then allowed again. Jan 12 14:36:21 warp proftpd[5073]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5076]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5077]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5078]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5079]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5080]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5081]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5083]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. regards Edward Ng EDS Australia Pty. Ltd. email : edward.ng () eds com
Current thread:
- blocking IPs for FTP server Ng, Edward B (Jan 23)
- <Possible follow-ups>
- RE: blocking IPs for FTP server Ng, Edward B (Jan 24)
- RE: blocking IPs for FTP server Rob Stevens (Jan 24)
- Re: blocking IPs for FTP server Michael Conroy (Jan 24)
- Re: blocking IPs for FTP server Chris Berry (Jan 24)