Article 6802 at 06/09/09 05:14:00 From: dmobley (at mark) uhostme.net Subject: [coba-e:06802] Re: FTP flooding

Index: [Article Count Order] [Thread]
Date:  Fri, 8 Sep 2006 15:30:10 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
Subject:  [coba-e:06802] Re: FTP flooding
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <004a01c6d37d$33901090$6400a8c0@YOUR4105E587B6>
In-Reply-To:  <1486c6440609081125h192a0adas870b8630972b1676 (at mark) mail.gmail.com>
X-Mail-Count: 06802

Care to share any details or configuration-specific settings it took to get
this to work on BQ?

> -----Original Message-----
> From: Adam Crews [mailto:adam.crews (at mark) gmail.com]
> Sent: Friday, September 08, 2006 2:25 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:06794] Re: FTP flooding
> 
> I don't have a direct answer to your question...  but I use this:
> http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html
> to stop the same attacks on sshd.
> 
> If you were up for a weekend project, it shouldn't be too difficult to
> change the script to work for ftp messages.
> 
> -Adam
> 
> On 9/8/06, Colin Jack <colin (at mark) mainline.co.uk> wrote:
> > We are seeing a lot of this on our servers (lots from Poland & Romania,
> > but also elsewhere ... example is French) ..
> >
> > Sep  6 06:41:15 server1 proftpd[28177]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > Sep  6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > Sep  6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > Sep  6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > (213.246.40.55[213.246.40.55]) - FTP session closed.
> >
> > What is the best way to deal with this?
> > We can't restrict the IP range because we have clients all over the
> > world updating web sites etc.
> > Might be worth restricting the number of connections per IP per minute
> > or something similar if this is possible?
> >
> > Any ideas blues?
> >
> > Thanks
> >
> > Colin
> >
> >
> >
> 
> 
> --
> -----------------------------------------------------------------
> Shroom.net Donation Based Web Hosting
> http://www.shroom.net/
> -----------------------------------------------------------------