Article 6794 at 06/09/09 03:25:16 From: adam.crews (at mark) gmail.com Subject: [coba-e:06794] Re: FTP flooding

Index: [Article Count Order] [Thread]
Date:  Fri, 8 Sep 2006 11:25:08 -0700
From:  "Adam Crews" <adam.crews (at mark) gmail.com>
Subject:  [coba-e:06794] Re: FTP flooding
To:  coba-e (at mark) bluequartz.org
Message-Id:  <1486c6440609081125h192a0adas870b8630972b1676 (at mark) mail.gmail.com>
In-Reply-To:  <F07DD4D0940AFF41A207BE85479D2AFF1818ED (at mark) server.mainline.local>
References:  <F07DD4D0940AFF41A207BE85479D2AFF1818ED (at mark) server.mainline.local>
X-Mail-Count: 06794

I don't have a direct answer to your question...  but I use this:
http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html
to stop the same attacks on sshd.

If you were up for a weekend project, it shouldn't be too difficult to
change the script to work for ftp messages.

-Adam

On 9/8/06, Colin Jack <colin (at mark) mainline.co.uk> wrote:
> We are seeing a lot of this on our servers (lots from Poland & Romania,
> but also elsewhere ... example is French) ..
>
> Sep  6 06:41:15 server1 proftpd[28177]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session closed.
> Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session opened.
> Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - no such user 'User'
> Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session closed.
> Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session opened.
> Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - no such user 'User'
> Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session closed.
> Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session opened.
> Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - no such user 'User'
> Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session closed.
>
> What is the best way to deal with this?
> We can't restrict the IP range because we have clients all over the
> world updating web sites etc.
> Might be worth restricting the number of connections per IP per minute
> or something similar if this is possible?
>
> Any ideas blues?
>
> Thanks
>
> Colin
>
>
>


-- 
-----------------------------------------------------------------
Shroom.net Donation Based Web Hosting
http://www.shroom.net/
-----------------------------------------------------------------