Index: [Article Count Order] [Thread] 
Date:  Fri, 8 Sep 2006 18:17:49 +0100
From:  "Colin Jack" <colin (at mark) mainline.co.uk>
Subject:  [coba-e:06793] FTP flooding
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <F07DD4D0940AFF41A207BE85479D2AFF1818ED (at mark) server.mainline.local>
X-Mail-Count: 06793

We are seeing a lot of this on our servers (lots from Poland & Romania,
but also elsewhere ... example is French) ..

Sep  6 06:41:15 server1 proftpd[28177]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - FTP session closed.
Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - FTP session opened.
Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - no such user 'User'
Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - FTP session closed.
Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - FTP session opened.
Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - no such user 'User'
Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - FTP session closed.
Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - FTP session opened.
Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - no such user 'User'
Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
(213.246.40.55[213.246.40.55]) - FTP session closed.

What is the best way to deal with this?
We can't restrict the IP range because we have clients all over the
world updating web sites etc.
Might be worth restricting the number of connections per IP per minute
or something similar if this is possible?

Any ideas blues?

Thanks

Colin