-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Tuesday 2007-04-24 at 10:15 -0400, James Knott wrote:
> > I am experiencing an excessive load from the internet that looks like
> > some kind of attack. The log entries that repeat over and over are:
> >
> > Apr 22 11:14:54 bonza proftpd[10488]: bonza.rbpllc.com
> > (216.101.241.110[216.101.241.110]) - FTP session opened.
> > Apr 22 11:14:54 bonza proftpd[10488]: bonza.rbpllc.com
> > (216.101.241.110[216.101.241.110]) - no such user 'alexander'
A dictionary attack to the ftp server, I guess. The incomming address does
not resolve, thus the secondary error:
[EMAIL PROTECTED]:~> host 216.101.241.110
Host 110.241.101.216.in-addr.arpa not found: 2(SERVFAIL)
but:
[EMAIL PROTECTED]:~> whois 216.101.241.110
SBC Internet Services SBCIS-SIS80 (NET-216-100-0-0-1)
216.100.0.0 - 216.103.255.255
Barracuda Networks SBC21610124100024051011130804 (NET-216-101-241-0-1)
216.101.241.0 - 216.101.241.255
# ARIN WHOIS database, last updated 2007-04-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
c
> > The biggest question is what can I do to stop this?? Is there an effective
> > firewall rule or IP table recipe that will help?? The load caused the server
> > to lock up last night causing a great deal of havoc. Any wise advise would
> > be welcomed.
>
> Do you actually have an FTP server available? If so, you may want to consider
> a more secure method such as sftp or scp. If not, your firewall should be
> configured to block all such attempts. If you need to have the server
> available, you can configure the firewall to restrict the acceptable addresses
> or block known hostile sites. Without knowing more about your situation, I
> can't be more specific.
It is also possible, when using susefirewall, to restrict the number of
connections attempts to a port. Look at the "FW_SERVICES_ACCEPT_EXT"
entry:
## Type: string
## Default:
#
# Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP}
# and more specific than FW_TRUSTED_NETS
#
# Format: space separated list of net,protocol[,dport[,sport[,flags]]]
# Example: "0/0,tcp,22"
#
# Supported flags are
# hitcount=NUMBER : ipt_recent --hitcount parameter
# blockseconds=NUMBER : ipt_recent --seconds parameter
# recentname=NAME : ipt_recent --name parameter
# Example:
# Allow max three ssh connects per minute from the same IP address:
# "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_ACCEPT_EXT="0/0,tcp,21,,hitcount=3,blockseconds=60,recentname=ftp"
- --
Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFGLhbutTMYHG2NR9URAtDcAJ4rpQZ3Xj0GtOwoaCEtYWAU/WeTCwCdHVl3
eGSvmOF4QE2HQRPobvAZUOA=
=uDBD
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
