Dealing with ftp attacks
John Abreau
john.abreau at zuken.com
Mon Oct 2 15:59:33 EDT 2006
What's the recommended way of dealing with ftp attacks?
We have an ftp server for supporting our customers, running vsftpd,
and every once in a while it's come under attack from somewhere
in China; the attacker slams the ftp port, showing an authentication
failure every 3 seconds, continuously until the server locks up
four hours later.
It happened yesterday evening, and I had to waste a few hours
driving into work to power-cycle the server. I set up a script
to scan the logs hourly and page me if it detected an attack,
and about an hour after I got home, at 2 am, I got a report of
a second attack.
I dealt with it by blocking the ip addresses with
route add -net 211.152.33.0/24 reject
which interrupted the attack before the server could lock up.
And I just got yet another alert, a few minutes ago; these
assholes seem determined to break in.
One concern I have is that these routes will gradually
clog up my routing table. Also, this machine is our external
mail server, and we have customers in China, so I can't just
block off all of China.
--
John Abreau
IT Manager
Zuken USA
238 Littleton Rd., Suite 100
Westford, MA 01886
T: 978-392-1777 F: 978-692-4725
M: 978-764-8934
E: John.Abreau at zuken.com W: www.zuken.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.blu.org/pipermail/discuss/attachments/20061002/317661c2/attachment.sig>
More information about the Discuss
mailing list