blocking IPs for FTP server

From: Ng, Edward B (edward.ng@eds.com)
Date: 01/20/03

Next message: James Ndovi: "PIX Firewall Checklist"

Previous message: encryptinator: "tracking templates for System"
Next in thread: Ng, Edward B: "RE: blocking IPs for FTP server"
Maybe reply: Ng, Edward B: "RE: blocking IPs for FTP server"
Maybe reply: Michael Conroy: "Re: blocking IPs for FTP server"
Maybe reply: Chris Berry: "Re: blocking IPs for FTP server"
Reply: Eric Nelson: "Re: blocking IPs for FTP server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Ng, Edward B" <edward.ng@eds.com>
To: security-basics@securityfocus.com
Date: Mon, 20 Jan 2003 15:57:29 +1100

Hi Folks,

I run an FTP server on a public Linux box which is visible on the internet.
For the last few months, I have had "visitors" who basically attempt to open
multiple connections to the FTP server, and repeatedly try to login as
anonymous. I have ignored this till now, but lately the FTP server has been
shutting itself down because of too many simultaneous connections happening
at the same time by these anonymous attempts. I was wondering is there an
application out there which can do a temporary block on the IP of someone
who has tried to login to FTP too many times and failed? I am currently
running an iptables firewall, but I do not want IPs to be permanently
blocked, just say blocked for 24 hours and then allowed again.

Jan 12 14:36:21 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
Jan 12 14:36:22 warp proftpd[5076]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5077]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5078]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5079]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
Jan 12 14:36:22 warp proftpd[5080]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5081]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
Jan 12 14:36:22 warp proftpd[5083]: warp.linux-server.com
(dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.

regards

Edward Ng

EDS Australia Pty. Ltd.
email : edward.ng@eds.com

Next message: James Ndovi: "PIX Firewall Checklist"
Previous message: encryptinator: "tracking templates for System"
Next in thread: Ng, Edward B: "RE: blocking IPs for FTP server"
Maybe reply: Ng, Edward B: "RE: blocking IPs for FTP server"
Maybe reply: Michael Conroy: "Re: blocking IPs for FTP server"
Maybe reply: Chris Berry: "Re: blocking IPs for FTP server"
Reply: Eric Nelson: "Re: blocking IPs for FTP server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: FTP Security login
... > By default, IE will auto login as anonymous user, if you see the login ... > Try login at the ftp server via ftp.exe ... ... >> basic yet my users cant get access. ... >> Sorry if this is a basic question I took a quick look at the posts in ...
(microsoft.public.inetserver.iis.ftp)
Re: vsFTP on RH9
... I am beginning to think RH9 is just a huge junk pile. ... I needed an FTP server. ... I can only login anonymously and then I can't see any of the ... > Every time I change the config file I restart xinetd, ...
(comp.os.linux.misc)
Re: IIS FTP server: 530 Login failed
... Can you login with ... I have also tried> to set up an FTP server on my home machine that is not part of a somain> and I get an error 530 there too. ... > "elziko" wrote in message ... >> The FTP site is set to accept only anonymous connections using the>> following account: ...
(microsoft.public.inetserver.iis.ftp)
Re: FTP directory security setup.
... if so I can test with that ip address, dlocking it and allowing it. ... i still have hackers trying to login to my ftp server. ...
(microsoft.public.inetserver.iis.security)
Re: FTP directory security setup.
... It's been a while I look at NT4. ... i still have hackers trying to login to my ftp server. ...
(microsoft.public.inetserver.iis.security)