I have been noticing an increasing amount of "ftp port scans" (Don't know if that is the correct term, but it seems to explain it best). Anyways, in /var/log/messages I see the following:


May 23 12:40:08 bn1 proftpd[20025]: x.x.x.32 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20028]: x.x.x.109 (kbl-tnz6815.zeelandnet.nl[62
.238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20031]: x.x.x.108 (kbl-tnz6815.zeelandnet.nl[62
.238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20033]: x.x.x.73 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20032]: x.x.x.106 (kbl-tnz6815.zeelandnet.nl[62
.238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[19988]: x.x.x.10 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session closed.
May 23 12:40:08 bn1 proftpd[20034]: x.x.x.16 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:11 bn1 proftpd[20035]: x.x.x.20 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:14 bn1 proftpd[19979]: x.x.x.59 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session closed.
May 23 12:40:15 bn1 proftpd[19982]: x.x.x.54 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session closed.

Whenever this happens, it causes the load to increase dramatically, from about 1.4 to 30.0 or so.

Anyone know how I can stop these scans? I do have portsentry running which I would assume would detect and drop these scans, but this does not seem to be the case. Also, from the looks of the log file, these ftp sessions are being opened successfully? This cannot be good as I would assume that this would be a security vulnerability.

This server is running Red Hat 7.1 with Cpanel / whm. Any comments will be appreciated!

I'm not sure about Proftpd, but in ncFTPd you can limit connections per IP. ncFTPd is a commercial product: http://www.ncftpd.com

If you are running FTP server, connections have to be opened :)

I would recommend if you are on a linux box, to install bastille linux.

Enable Port Scan Attack Detector (PSAD), configure it to automatically block IPS of those who breach the psad security level. Be sure to set the breach level to 5.

hope this helps.

And the worst thing is Zeelandnet is the ISP I am with. If this happens again contact them (email adresses here) (http://www.zeelandnet.nl/index.php?upn=010511) and explain the situation. They'll contact the customer and ask for an explination. They've done that to me before, turned out some hacker had infected my PC with 3 trojans and was using my PC as a proxy to attack software companies. All this because I had forgotten to turn my firewall back on at some point in time so I was unprotected for a few hours.

With portsentry, you can have automatically block offending IP's with iptables/ipchains I believe.

This will essentially make your computer appear to 'drop off the network' to the offending IP address as soon as they perform a scan.

Dan

Originally posted by vigor
I would recommend if you are on a linux box, to install bastille linux.

Enable Port Scan Attack Detector (PSAD), configure it to automatically block IPS of those who breach the psad security level. Be sure to set the breach level to 5.

hope this helps.

The PSAD, youre speaking about where can one get a hold of this, or are we talking about portsentry here?


Imran

You can find PSAD here (http://www.cipherdyne.com/psad/). I installed it on my server a few days ago in combination with bastille and it works deliciously. Any portscan attempt gets blocked, the scanners IP gets blocked for life and an email is sent to me with all the details including a DNS lookup on the scanner.

If you'd like a tutorial on installing bastille and PSAD, I can post a link.

info if you can I would like to see it, I too have been getting lots of scans. May want to install this.

Monte

Tutorial can be found here (http://www.unofficial-support.com/modules.php?name=Sections&sop=viewarticle&artid=5).
This tutorial was suposed to be written for use with Ensim, but it should be the same with any other Control panel, except that one or 2 ports will have to be changed from what is stated in the tutorial.

thanks and you have used these programs without problems I assume.

I may try and load them this afternoon.

Monte