One of my servers was getting hit with what appeared to be a DoS attack against ProFTPD 1.2.4. I checked the ProFTPD website and it did have a DoS attack listed, but said it was fixed in version 1.2.2. I updated to the newest RC 1.2.5rc1 and haven't been attacked since. Basically ProFTPD was using all system resources until the server crashed. Any ideas?

Originally posted by billyjoe
One of my servers was getting hit with what appeared to be a DoS attack against ProFTPD 1.2.4. I checked the ProFTPD website and it did have a DoS attack listed, but said it was fixed in version 1.2.2. I updated to the newest RC 1.2.5rc1 and haven't been attacked since. Basically ProFTPD was using all system resources until the server crashed. Any ideas?

so what makes you think that proftpd took all the resources up and crashed the box...

..?

1) Messages in the system log like this.

proftpd: fork() failed: cannot allocate memory

2) The server crashing multiple times moments after it would boot back up. After I was finally able to login fast enough to disable proftpd before it would crash again the system was fine with it disabled and has been since fine since installing the latest release candidate.

If this isn't a DoS attack I'm open for other ideas.

if you are running proftpd out of inetd then you can tell inetd how many connections to accept for each service.

if you are running as a stand-alone server, then you can specify how many connections to allow in the proftpd.conf.

Originally posted by billyjoe
1) Messages in the system log like this.

proftpd: fork() failed: cannot allocate memory




Um dude, i know what it looks like man. I was just seeing if he even knew what he was talking about. A lot of newbies panic when something goes wrong and just assume that the cause was one thing, but because they are so ignorant they don't realize it was because of <Somethign else>

So i just wanted to see what made him seem so sure it was proftpd.

Originally posted by bofh
if you are running proftpd out of inetd then you can tell inetd how many connections to accept for each service.

if you are running as a stand-alone server, then you can specify how many connections to allow in the proftpd.conf.

by default it should have a low number, doesn't it? i though it was liek 30

Originally posted by clocker1996


by default it should have a low number, doesn't it? i though it was liek 30

Yeah, thats true. I think most Linux distros sets it at 30 connections per second.

Originally posted by clocker1996



Um dude, i know what it looks like man. I was just seeing if he even knew what he was talking about. A lot of newbies panic when something goes wrong and just assume that the cause was one thing, but because they are so ignorant they don't realize it was because of <Somethign else>

So i just wanted to see what made him seem so sure it was proftpd.

:eek: What makes people 'newbies', and was that directed at the person who asked the question in the first place? :eek:

Originally posted by clocker1996



Um dude, i know what it looks like man. I was just seeing if he even knew what he was talking about. A lot of newbies panic when something goes wrong and just assume that the cause was one thing, but because they are so ignorant they don't realize it was because of <Somethign else>

So i just wanted to see what made him seem so sure it was proftpd.

Umm... dude don't try to act like self-proclaimed guru.

Peace!

I think proftpd comes with a nice little command called 'ftpwho' which tells you how many connections, and which users are connected from where. Might have been useful in this situation to see which username was using all those connections.

We've experienced spikes of high load on our ftp server when customers with 2000+ files in a single directory log in and retrieve a directory listing. <grumble>

Did you check the system messages file before the fork errors to see which IP the connections were coming from? If the DoS is coming from one or two IPs, then you can just firewall them using ipchains, like so:

/sbin/ipchains -A input -s 1.2.3.4/255.255.255.255 -l -j DENY
(where 1.2.3.4 is the IP address that the connections are coming from)