Hi,

The last couple days one of my servers have undergone what looks like to be a DOS attack
--------------------------------------------------------
un 8 03:32:52 UNIVEX2 proftpd[20501]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20503]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20502]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20505]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20504]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20501]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20502]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20503]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20504]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20505]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:53 UNIVEX2 proftpd[20491]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:53 UNIVEX2 proftpd[20491]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
-------------------------------------------------------------------
etc .etc. etc.

Anyways, I have pam limits running, along with portsentry (Which doesn't seem to do anything to protect against this). So I am just wondering if anyone knows how to block access to an IP that is 'hammering' the server. Trying to login/logout very quickly in short time periods. I know there is hammering protection in other ftp programs for windows and such. But am trying to find something similiar for proftpd. If ANYONE can help me out. I would really really realllly appreciate it!

Thanks!

If you have something such as IpChains installed you could use it to block that IP address or address block at the kernel level... or you could use your hosts.allow file (/etc/hosts.allow) to block that domain (or address) from the ftp service. see "man hosts.allow" or "man ipchains" for detailed instructions and examples.

Originally posted by jasonX
Hi,

The last couple days one of my servers have undergone what looks like to be a DOS attack
--------------------------------------------------------
-- snip --
Jun 8 03:32:53 UNIVEX2 proftpd[20491]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
-------------------------------------------------------------------
etc .etc. etc.

Anyways, I have pam limits running, along with portsentry (Which doesn't seem to do anything to protect against this). So I am just wondering if anyone knows how to block access to an IP that is 'hammering' the server. Trying to login/logout very quickly in short time periods. I know there is hammering protection in other ftp programs for windows and such. But am trying to find something similiar for proftpd. If ANYONE can help me out. I would really really realllly appreciate it!

Thanks!

I know I can manually block the IP. But by that time, the server is down, and I have to restart it. I need something that will monitor that this is happening and block it while it's happening. Anyone have any ideas?

well, proftp has the maxinstances or maxclients directive which limits the number of instances of proftp that can be alive at one time, which will probably save the server from crashing, but will likely prevent authorized users from using proftp while the DoS attack is in effect.

goes in server config for ProFtp

MaxInstances xx or..
MaxClients xx

(Depends on if you are running under inetd or as standalone which one you need.)

Thanks.

I knew about this though. See, what is happening, is that there not connecting 100 clients. He is connecting three times, disconnecting three times, connecting three times, disconnecting three times, so that max instances or clients wouldn't matter. And he does this very quickly, like every 1 second, at night, until the server crashes.