The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Abusive FTP users

Discussion in 'General Discussion' started by jumpdomain, Feb 13, 2002.

  1. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    At least once a day, someone tries to connect via FTP to all the IPs on our servers. Since a lot of the servers have over 200 IPs, the server load skyrockets with all the processes.

    What is the best way to stop this without effecting legitimate users? Would this directive do the job?
    MaxClientsPerHost 1

    Also, does anyone set a MaxClients directive as a global directive since the MaxClientsPerHost will only catch them if they come from the same IP.
     
  2. gorgo

    gorgo Well-Known Member

    Joined:
    Jan 9, 2002
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    if the connection is coming from a cable subscriber, your best bet would to be edit the host.deny file to include his IP, I don't know how cable internet is else where, but my IP rarely changes./
     
  3. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

    I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    [quote:cd0fcc3db7][i:cd0fcc3db7]Originally posted by jumpdomain[/i:cd0fcc3db7]

    Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

    I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.
    [/quote:cd0fcc3db7]

    Just curious .. I get these all the time and if I remember correctly it is from some weird domain like wanadoo.fr
    ..or something like that ... does that ring a bell ?
     
  5. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    rpmws,

    Yes, that is the usual domain they come from... I suspect it is a large ISP in France. I am tempted to block their entire IP block but I am not 100% sure that we do not have any legitimate customers who also use them.
     
  6. WildWayz

    WildWayz Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    209
    Likes Received:
    0
    Trophy Points:
    16
    I get LOADS of hack attempts from wandaloo.fr - and I have emailed them many, many times about it - each time they don't reply.

    I believe wandaloo.fr is a HUGE ISP in France that owns Freeserve in the UK (from memory).

    Also, I get a lot of people trying to ftp into my server using ftp/anonymous - but both of them are blocked, so they get denied.

    --James
     
  7. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Unless I am mistaken, anonymous FTP access to each IP based site is turned on by default when you create the account.

    Anyone know an easy way to disable it so the user has to turn it on?
     
  8. indiboi

    indiboi Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    i think that blocking the percentage of (possibly non existant) legitimate users is worth the risk with wandaloo.fr.
     
  9. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    For some reason ProFTP does not block IP addresses in the hosts.deny file. Anyone know why?
     
  10. ZachICU

    ZachICU Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    130
    Likes Received:
    0
    Trophy Points:
    16
    Im curious about this topic also...


    Zach
     
  11. shawnvan

    shawnvan Registered

    Joined:
    Nov 15, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    hosts.deny only applies to the services listed in /etc/inetd.conf
    check that file to see what services are listed
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Wow! A two and a half year old thread - WTG :D
     
Loading...

Share This Page