Re: blocking IPs for FTP server

From: Eric Nelson (en@megahosted.com)
Date: 01/24/03

  • Next message: Tuttle, Jim: "RE: IDS Recommendation" 
    Date: Thu, 23 Jan 2003 15:41:54 -0800
From: Eric Nelson <en@megahosted.com>
To: security-basics@securityfocus.com

    On Mon, Jan 20, 2003 at 03:57:29PM +1100, Ng, Edward B wrote:
    > Hi Folks,
    >
    > I run an FTP server on a public Linux box which is visible on the internet.
    > For the last few months, I have had "visitors" who basically attempt to open
    > multiple connections to the FTP server, and repeatedly try to login as
    > anonymous. I have ignored this till now, but lately the FTP server has been
    > shutting itself down because of too many simultaneous connections happening
    > at the same time by these anonymous attempts. I was wondering is there an
    > application out there which can do a temporary block on the IP of someone
    > who has tried to login to FTP too many times and failed? I am currently
    > running an iptables firewall, but I do not want IPs to be permanently
    > blocked, just say blocked for 24 hours and then allowed again.
    >
    > Jan 12 14:36:21 warp proftpd[5073]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
    > Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
    > Jan 12 14:36:22 warp proftpd[5072]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
    > Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
    > Jan 12 14:36:22 warp proftpd[5073]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
    > Jan 12 14:36:22 warp proftpd[5074]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
    > Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - no such user 'anonymous'
    > Jan 12 14:36:22 warp proftpd[5076]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5077]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5078]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5079]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5075]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session closed.
    > Jan 12 14:36:22 warp proftpd[5080]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5081]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    > Jan 12 14:36:22 warp proftpd[5083]: warp.linux-server.com
    > (dclient217-162-35-70.hispeed.ch[217.162.35.70]) - FTP session opened.
    >
    > regards
    >
    >
    > Edward Ng
    >
    > EDS Australia Pty. Ltd.
    > email : edward.ng@eds.com
    >
    >
    >

    I imagine you could configure Portsentry to do this for you with some
    crafty configuring. I would look into that and/or possibly using a log
    rule for iptables combined with a script to look for these people
    hammering
    on the server and set a drop rule based on them.

    Another good move might be to start your ftpd on a different port if
    possible so as to seperate the legitimate users from these spammers. 

    -- 
Eric Nelson	<en@megahosted.com>	GPG-key: C4AB5707
http://www.megahosted.com/~en/

    Relevant Pages

    • Re: FTP Security login
      ... > By default, IE will auto login as anonymous user, if you see the login ... > Try login at the ftp server via ftp.exe ... ... >> basic yet my users cant get access. ... >> Sorry if this is a basic question I took a quick look at the posts in ...
      (microsoft.public.inetserver.iis.ftp)
    • Re: vsFTP on RH9
      ... I am beginning to think RH9 is just a huge junk pile. ... I needed an FTP server. ... I can only login anonymously and then I can't see any of the ... > Every time I change the config file I restart xinetd, ...
      (comp.os.linux.misc)
    • Re: IIS FTP server: 530 Login failed
      ... Can you login with ... I have also tried> to set up an FTP server on my home machine that is not part of a somain> and I get an error 530 there too. ... > "elziko" wrote in message ... >> The FTP site is set to accept only anonymous connections using the>> following account: ...
      (microsoft.public.inetserver.iis.ftp)
    • Re: FTP directory security setup.
      ... if so I can test with that ip address, dlocking it and allowing it. ... i still have hackers trying to login to my ftp server. ...
      (microsoft.public.inetserver.iis.security)
    • Re: FTP directory security setup.
      ... It's been a while I look at NT4. ... i still have hackers trying to login to my ftp server. ...
      (microsoft.public.inetserver.iis.security)