I'm using an older version than what is on the website now, but
basically, I just edited the ssh scripts to run sshdfilter instead of
sshd (as documented with sshfilter). Then I had to hack
/etc/cron.hourly/log_traffic so that it stopped whacking my new
firewall rules.
Look for the following section in log_traffic, and add the below changes...
---------------------------
# This file is automatically generated by log_traffic.
# Any manual changes will be lost
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:acctin - [0:0]
:acctout - [0:0]
:SSHD - [0:0]
-A INPUT -j acctin
-A OUTPUT -j acctout
-A INPUT -p tcp -m tcp --dport 22 -j SSHD" > $FWCONFIGFILE
---------------------------
The only differences are the 2 lines with SSHD.
I think that is all I did. if it doesn't work for you, let me know and
I'll look further.
-Adam
On 9/8/06, Darrell D. Mobley <dmobley (at mark) uhostme.net> wrote:
> Care to share any details or configuration-specific settings it took to get
> this to work on BQ?
>
> > -----Original Message-----
> > From: Adam Crews [mailto:adam.crews (at mark) gmail.com]
> > Sent: Friday, September 08, 2006 2:25 PM
> > To: coba-e (at mark) bluequartz.org
> > Subject: [coba-e:06794] Re: FTP flooding
> >
> > I don't have a direct answer to your question... but I use this:
> > http://www.csc.liv.ac.uk/~greg/sshdfilter/index_15.html
> > to stop the same attacks on sshd.
> >
> > If you were up for a weekend project, it shouldn't be too difficult to
> > change the script to work for ftp messages.
> >
> > -Adam
> >
> > On 9/8/06, Colin Jack <colin (at mark) mainline.co.uk> wrote:
> > > We are seeing a lot of this on our servers (lots from Poland & Romania,
> > > but also elsewhere ... example is French) ..
> > >
> > > Sep 6 06:41:15 server1 proftpd[28177]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > > Sep 6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > > Sep 6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > > Sep 6 06:41:15 server1 proftpd[28178]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > > Sep 6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > > Sep 6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > > Sep 6 06:41:15 server1 proftpd[28179]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > > Sep 6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - FTP session opened.
> > > Sep 6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - no such user 'User'
> > > Sep 6 06:41:15 server1 proftpd[28180]: server1.mainline.co.uk
> > > (213.246.40.55[213.246.40.55]) - FTP session closed.
> > >
> > > What is the best way to deal with this?
> > > We can't restrict the IP range because we have clients all over the
> > > world updating web sites etc.
> > > Might be worth restricting the number of connections per IP per minute
> > > or something similar if this is possible?
> > >
> > > Any ideas blues?
> > >
> > > Thanks
> > >
> > > Colin
> > >
> > >
> > >
> >
> >
> > --
> > -----------------------------------------------------------------
> > Shroom.net Donation Based Web Hosting
> > http://www.shroom.net/
> > -----------------------------------------------------------------
>
>
>
--
-----------------------------------------------------------------
Shroom.net Donation Based Web Hosting
http://www.shroom.net/
-----------------------------------------------------------------