Abusive FTP users

[jumpdomain]

At least once a day, someone tries to connect via FTP to all the IPs on our servers. Since a lot of the servers have over 200 IPs, the server load skyrockets with all the processes.

What is the best way to stop this without effecting legitimate users? Would this directive do the job?
MaxClientsPerHost 1

Also, does anyone set a MaxClients directive as a global directive since the MaxClientsPerHost will only catch them if they come from the same IP.

 

[gorgo]

if the connection is coming from a cable subscriber, your best bet would to be edit the host.deny file to include his IP, I don't know how cable internet is else where, but my IP rarely changes./

 

[jumpdomain]

Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.

 

[rpmws]

[quote:cd0fcc3db7][i:cd0fcc3db7]Originally posted by jumpdomain[/i:cd0fcc3db7]

Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.
[/quote:cd0fcc3db7]

Just curious .. I get these all the time and if I remember correctly it is from some weird domain like wanadoo.fr
..or something like that ... does that ring a bell ?

 

[jumpdomain]

rpmws,

Yes, that is the usual domain they come from... I suspect it is a large ISP in France. I am tempted to block their entire IP block but I am not 100% sure that we do not have any legitimate customers who also use them.

 

[WildWayz]

I get LOADS of hack attempts from wandaloo.fr - and I have emailed them many, many times about it - each time they don't reply.

I believe wandaloo.fr is a HUGE ISP in France that owns Freeserve in the UK (from memory).

Also, I get a lot of people trying to ftp into my server using ftp/anonymous - but both of them are blocked, so they get denied.

--James

 

[jumpdomain]

Unless I am mistaken, anonymous FTP access to each IP based site is turned on by default when you create the account.

Anyone know an easy way to disable it so the user has to turn it on?

 

[indiboi]

i think that blocking the percentage of (possibly non existant) legitimate users is worth the risk with wandaloo.fr.

 

[Curious Too]

For some reason ProFTP does not block IP addresses in the hosts.deny file. Anyone know why?

 

[ZachICU]

Im curious about this topic also...


Zach

 

[shawnvan]

hosts.deny only applies to the services listed in /etc/inetd.conf
check that file to see what services are listed

 

[chirpy]

Wow! A two and a half year old thread - WTG :D