Abusive FTP users

**jumpdomain** · 02-13-2002 01:11 AM

At least once a day, someone tries to connect via FTP to all the IPs on our servers. Since a lot of the servers have over 200 IPs, the server load skyrockets with all the processes.

What is the best way to stop this without effecting legitimate users? Would this directive do the job?
MaxClientsPerHost 1

Also, does anyone set a MaxClients directive as a global directive since the MaxClientsPerHost will only catch them if they come from the same IP.

**gorgo** · 02-13-2002 01:27 AM

if the connection is coming from a cable subscriber, your best bet would to be edit the host.deny file to include his IP, I don't know how cable internet is else where, but my IP rarely changes./

**jumpdomain** · 02-13-2002 01:42 AM

Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.

**rpmws** · 02-13-2002 02:52 AM

[quote:cd0fcc3db7][i:cd0fcc3db7]Originally posted by jumpdomain[/i:cd0fcc3db7]

Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.
[/quote:cd0fcc3db7]

Just curious .. I get these all the time and if I remember correctly it is from some weird domain like wanadoo.fr
..or something like that ... does that ring a bell ?

**jumpdomain** · 02-13-2002 03:58 AM

rpmws,

Yes, that is the usual domain they come from... I suspect it is a large ISP in France. I am tempted to block their entire IP block but I am not 100% sure that we do not have any legitimate customers who also use them.

**WildWayz** · 02-13-2002 04:11 AM

I get LOADS of hack attempts from wandaloo.fr - and I have emailed them many, many times about it - each time they don't reply.

I believe wandaloo.fr is a HUGE ISP in France that owns Freeserve in the UK (from memory).

Also, I get a lot of people trying to ftp into my server using ftp/anonymous - but both of them are blocked, so they get denied.

--James

**jumpdomain** · 02-13-2002 04:27 AM

Unless I am mistaken, anonymous FTP access to each IP based site is turned on by default when you create the account.

Anyone know an easy way to disable it so the user has to turn it on?

**indiboi** · 02-13-2002 04:30 AM

i think that blocking the percentage of (possibly non existant) legitimate users is worth the risk with wandaloo.fr.

**Curious Too** · 02-13-2002 02:29 PM

For some reason ProFTP does not block IP addresses in the hosts.deny file. Anyone know why?

**ZachICU** · 02-13-2002 07:56 PM

Im curious about this topic also...

Zach

**shawnvan** · 06-19-2004 02:20 PM

hosts.deny only applies to the services listed in /etc/inetd.conf
check that file to see what services are listed

**chirpy** · 06-19-2004 05:44 PM

Wow! A two and a half year old thread - WTG

LinkBack

Thread Tools

Abusive FTP users

Should we all turn off the abusive Sender Callouts?

Users' Anonymous FTP going to /var/ftp

Disallowing FTP to certain users (Pure FTP)

FTP users

Can't login via FTP / Create new FTP users