Hi Colin,
> We are seeing a lot of this on our servers (lots from Poland & Romania,
> but also elsewhere ... example is French) ..
>
> Sep 6 06:41:15 server1 proftpd[28177]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session closed.
> Sep 6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> (213.246.40.55[213.246.40.55]) - FTP session opened.
> Sep 6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
>
> What is the best way to deal with this?
The IPtables module "recent" is the best approach to deal with this. Normally
IPtables only looks at TCP/IP packets once, checks it against the existing
rules, acts accordingly and then forgets that packet as it is no longer
relevant.
With the "recent" module that behaviour is a bit different and IPTables
memorizes past traffic for a certain time. This allows to create rules to
match certain behaviour.
So rules like this are possible:
"Temporary block source IP from accessing port 21-23 if it made X numbers of
connections against either port 21, 22 or 23 within the last Y seconds."
With an approach like that it is possible to block excessive usage, floods or
repeat attempts to connect to the same port from the same IP. Which makes it
ideal to counter brute force attacks against FTP, SSH or related services.
I'm using that method in the new Security Package for BlueQuartz.
--
With best regards,
Michael Stauber