Article 6800 at 06/09/09 04:42:25 From: colin (at mark) mainline.co.uk Subject: [coba-e:06800] Re: FTP flooding

Index: [Article Count Order] [Thread]
Date:  Fri, 8 Sep 2006 20:00:24 +0100
From:  "Colin Jack" <colin (at mark) mainline.co.uk>
Subject:  [coba-e:06800] Re: FTP flooding
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <F07DD4D0940AFF41A207BE85479D2AFF1818F0 (at mark) server.mainline.local>
X-Mail-Count: 06800

Thanks Adam ... I will have a look and see whether my *nix skills are up
to it!

Regards

Colin 

> -----Original Message-----
> From: Adam Crews [mailto:adam.crews (at mark) gmail.com] 
> Sent: 08 September 2006 19:25
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:06794] Re: FTP flooding
> 
> I don't have a direct answer to your question...  but I use this:
> http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html
> to stop the same attacks on sshd.
> 
> If you were up for a weekend project, it shouldn't be too 
> difficult to change the script to work for ftp messages.
> 
> -Adam
> 
> On 9/8/06, Colin Jack <colin (at mark) mainline.co.uk> wrote:
> > We are seeing a lot of this on our servers (lots from Poland & 
> > Romania, but also elsewhere ... example is French) ..
> >
> > Sep  6 06:41:15 server1 proftpd[28177]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> >
> > What is the best way to deal with this?
> > We can't restrict the IP range because we have clients all over the 
> > world updating web sites etc.
> > Might be worth restricting the number of connections per IP 
> per minute 
> > or something similar if this is possible?
> >
> > Any ideas blues?
> >
> > Thanks
> >
> > Colin
> >
> >
> >
> 
> 
> --
> -----------------------------------------------------------------
> Shroom.net Donation Based Web Hosting
> http://www.shroom.net/
> -----------------------------------------------------------------
> 
>