Dealing with ftp attacks

[bill at horne.net (Bill Horne)]

John Abreau wrote:

>What's the recommended way of dealing with ftp attacks? 
>
>We have an ftp server for supporting our customers, running vsftpd, 
>and every once in a while it's come under attack from somewhere 
>in China; the attacker slams the ftp port, showing an authentication 
>failure every 3 seconds, continuously until the server locks up 
>four hours later. 
>
>It happened yesterday evening, and I had to waste a few hours 
>driving into work to power-cycle the server. I set up a script 
>to scan the logs hourly and page me if it detected an attack, 
>and about an hour after I got home, at 2 am, I got a report of 
>a second attack. 
>
>I dealt with it by blocking the ip addresses with 
>
>    route add -net 211.152.33.0/24 reject
>
>which interrupted the attack before the server could lock up. 
>And I just got yet another alert, a few minutes ago; these 
>assholes seem determined to break in. 
>
>One concern I have is that these routes will gradually 
>clog up my routing table. Also, this machine is our external 
>mail server, and we have customers in China, so I can't just 
>block off all of China. 
>  
>

John,

I suggest you firewall the range assigned to the attacker's ISP: it's 
unlikely that your customers will be in the same range, but you can just 
close port 21 ask your customers to use SSH in any case.

FWIW.

Bill

-- 
E. William Horne
William Warren Consulting
Computer and Network Installation & Service
http://www.billhorne.com/
Voice:	781 784-7287


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.