Security Basics mailing list archives
RE: blocking IPs for FTP server
From: "Rob Stevens" <rob () linuxgawd com>
Date: Thu, 23 Jan 2003 20:44:40 -0500
With Port Sentry you can use the Advanced Stealth Scan Detection. With that it scans ports below your specified "ADVANCED_PORTS" (commonly port 1024). While having Port Sentry running it will watch for suspicious traffic from any outside connection. You can select the number of connection attempts from one IP before the alarm is triggered. For example if an IP connects to ProFTPd more then twice in a row, and you have your SCAN_TRIGGER value set to 2 an alarm will go off (typically dropping the route). SCAN_TRIGGER is applicable to any port on the server, meaning if they are trying your SMTPd, IMAPd or any other service you are running Port Sentry will drop their route to your box. -----Original Message----- From: Ng, Edward B [mailto:edward.ng () eds com] Sent: January 23, 2003 7:52 PM To: 'Rob Stevens' Cc: 'security-basics () securityfocus com' Subject: RE: blocking IPs for FTP server Hi Rob, Thanks for the suggestions, I am using RH 7.2 and ProFTP 1.25 . I have considered using Portsentry. However, won't it detect legitimate users as intruders? All my users have usernames and passwords, however I do have a virtual server on one IP which has anonymous access. But the people who have been hammering me literally try all the IPs that the server is visible on and can sometimes end up holding too many open connections. I have recently restricted the server to a max of 3 open connections per host (which has helped!), but I feel that it would be nice if I can find a way to detect that someone has been trying so often that he can't be a legitimate user and then ban him for a while. In fact, lately some of these guys have been trying on my IMAP and SMTP ports also. I actually have qmail running and have webmail capability, so these guys know I have a live server, but they seem to be trying a form of brute force guessing game to try to get in. -----Original Message----- From: Rob Stevens [mailto:rob () linuxgawd com] Sent: Friday, 24 January 2003 4:54 AM To: Ng, Edward B Subject: RE: blocking IPs for FTP server Edward, What distrobution are you using on the FTP server? You may want to use portsentry and setup a cronjob to flush the IP addresses once a day or something like that. -----Original Message----- From: Ng, Edward B [mailto:edward.ng () eds com] Sent: January 19, 2003 11:57 PM To: security-basics () securityfocus com Subject: blocking IPs for FTP server Hi Folks, I run an FTP server on a public Linux box which is visible on the internet. For the last few months, I have had "visitors" who basically attempt to open multiple connections to the FTP server, and repeatedly try to login as anonymous. I have ignored this till now, but lately the FTP server has been shutting itself down because of too many simultaneous connections happening at the same time by these anonymous attempts. I was wondering is there an application out there which can do a temporary block on the IP of someone who has tried to login to FTP too many times and failed? I am currently running an iptables firewall, but I do not want IPs to be permanently blocked, just say blocked for 24 hours and then allowed again. Jan 12 14:36:21 warp proftpd[5073]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous' Jan 12 14:36:22 warp proftpd[5076]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5077]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5078]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5079]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed. Jan 12 14:36:22 warp proftpd[5080]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5081]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. Jan 12 14:36:22 warp proftpd[5083]: warp.linux-server.com (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened. regards Edward Ng EDS Australia Pty. Ltd. email : edward.ng () eds com
Current thread:
- blocking IPs for FTP server Ng, Edward B (Jan 23)
- <Possible follow-ups>
- RE: blocking IPs for FTP server Ng, Edward B (Jan 24)
- RE: blocking IPs for FTP server Rob Stevens (Jan 24)
- Re: blocking IPs for FTP server Michael Conroy (Jan 24)
- Re: blocking IPs for FTP server Chris Berry (Jan 24)