Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dealing with ftp attacks



Just a thought,


if you can detect an attack, script a block of that IP only, and  
unlock it after an hour or two, again with a script.

if you have known customers (internal users?) you could make an  
authorized table and block everyone else from China.

Just a thought.  I don't know the FTP daemon, but the concept seems good.



Quoting John Abreau <john.abreau at zuken.com>:

> What's the recommended way of dealing with ftp attacks?
>
> We have an ftp server for supporting our customers, running vsftpd,
> and every once in a while it's come under attack from somewhere
> in China; the attacker slams the ftp port, showing an authentication
> failure every 3 seconds, continuously until the server locks up
> four hours later.
>
> It happened yesterday evening, and I had to waste a few hours
> driving into work to power-cycle the server. I set up a script
> to scan the logs hourly and page me if it detected an attack,
> and about an hour after I got home, at 2 am, I got a report of
> a second attack.
>
> I dealt with it by blocking the ip addresses with
>
>     route add -net 211.152.33.0/24 reject
>
> which interrupted the attack before the server could lock up.
> And I just got yet another alert, a few minutes ago; these
> assholes seem determined to break in.
>
> One concern I have is that these routes will gradually
> clog up my routing table. Also, this machine is our external
> mail server, and we have customers in China, so I can't just
> block off all of China.
>
> --
> John Abreau
> IT Manager
> Zuken USA
> 238 Littleton Rd., Suite 100
> Westford, MA 01886
> T: 978-392-1777            F: 978-692-4725
> M: 978-764-8934
> E: John.Abreau at zuken.com  W: www.zuken.com
>
>



-- 
Fax 1-630-214-5954 - Voicemail/S 775-898-8064

http://www.drbackup.net?pid=coats by Dr.Backup safeguards your valuable
documents with an automatic nightly backup over the Internet. FREE trial

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
       Assembly to the Governor, November 11, 1755

"Any sufficiently advanced technology is indistinguishable from magic."
    -- Arthur C. Clarke (1917 - ), "Profiles of The Future", 1961 (Clarke's
       third law)


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org