RE: blocking IPs for FTP server

["Rob Stevens" <rob () linuxgawd com>]

With Port Sentry you can use the Advanced Stealth Scan Detection.  With that
it scans ports below your specified "ADVANCED_PORTS" (commonly port 1024).

While having Port Sentry running it will watch for suspicious traffic from
any outside connection.  You can select the number of connection attempts
from one IP before the alarm is triggered.

For example if an IP connects to ProFTPd more then twice in a row, and you
have your SCAN_TRIGGER value set to 2 an alarm will go off (typically
dropping the route).  SCAN_TRIGGER is applicable to any port on the server,
meaning if they are trying your SMTPd, IMAPd or any other service you are
running Port Sentry will drop their route to your box.

-----Original Message-----
From: Ng, Edward B [mailto:edward.ng () eds com]
Sent: January 23, 2003 7:52 PM
To: 'Rob Stevens'
Cc: 'security-basics () securityfocus com'
Subject: RE: blocking IPs for FTP server


Hi Rob,

Thanks for the suggestions,
I am using RH 7.2 and ProFTP 1.25 . I have considered using Portsentry.
However, won't it detect legitimate users as intruders? All my users have
usernames and passwords, however I do have a virtual server on one IP which
has anonymous access. But the people who have been hammering me literally
try all the IPs that the server is visible on and can sometimes end up
holding too many open connections. I have recently restricted the server to
a max of 3 open connections per host (which has helped!), but I feel that it
would be nice if I can find a way to detect that someone has been trying so
often that he can't be a legitimate user and then ban him for a while. In
fact, lately some of these guys have been trying on my IMAP and SMTP ports
also. I actually have qmail running and have webmail capability, so these
guys know I have a live server, but they seem to be trying a form of brute
force guessing game to try to get in.


-----Original Message-----
From: Rob Stevens [mailto:rob () linuxgawd com]
Sent: Friday, 24 January 2003 4:54 AM
To: Ng, Edward B
Subject: RE: blocking IPs for FTP server


Edward,
What distrobution are you using on the FTP server?  You may want to use
portsentry and setup a cronjob to flush the IP addresses once a day or
something like that.

-----Original Message-----
From: Ng, Edward B [mailto:edward.ng () eds com]
Sent: January 19, 2003 11:57 PM
To: security-basics () securityfocus com
Subject: blocking IPs for FTP server


Hi Folks,

I run an FTP server on a public Linux box which is visible on the internet.
For the last few months, I have had "visitors" who basically attempt to open
multiple connections to the FTP server, and repeatedly try to login as
anonymous. I have ignored this till now, but lately the FTP server has been
shutting itself down because of too many simultaneous connections happening
at the same time by these anonymous attempts. I was wondering is there an
application out there which can do a temporary block on the IP of someone
who has tried to login to FTP too many times and failed? I am currently
running an iptables firewall, but I do not want IPs to be permanently
blocked, just say blocked for 24 hours and then allowed again.

Jan 12 14:36:21 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5076]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5077]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5078]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5079]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5080]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5081]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5083]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.

regards


Edward Ng

EDS Australia Pty. Ltd.
email : edward.ng () eds com