jumpdomain

Well-Known Member
Aug 12, 2001
109
0
316
At least once a day, someone tries to connect via FTP to all the IPs on our servers. Since a lot of the servers have over 200 IPs, the server load skyrockets with all the processes.

What is the best way to stop this without effecting legitimate users? Would this directive do the job?
MaxClientsPerHost 1

Also, does anyone set a MaxClients directive as a global directive since the MaxClientsPerHost will only catch them if they come from the same IP.
 

gorgo

Well-Known Member
Jan 9, 2002
148
0
316
if the connection is coming from a cable subscriber, your best bet would to be edit the host.deny file to include his IP, I don't know how cable internet is else where, but my IP rarely changes./
 

jumpdomain

Well-Known Member
Aug 12, 2001
109
0
316
Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
8
318
back woods of NC, USA
[quote:cd0fcc3db7][i:cd0fcc3db7]Originally posted by jumpdomain[/i:cd0fcc3db7]

Thanks, but each time they hit our IP blocks, they are coming from a different IP. It isn't a single person doing it... It is coming from scanning software that people run to find open FTP servers that will allow then anonymous FTP upload and download so they can distribute pirated software.

I wouldn’t have even noticed it since it only lasts a few minutes, but we have some new monitoring software that pages me when the load gets too high.
[/quote:cd0fcc3db7]

Just curious .. I get these all the time and if I remember correctly it is from some weird domain like wanadoo.fr
..or something like that ... does that ring a bell ?
 

jumpdomain

Well-Known Member
Aug 12, 2001
109
0
316
rpmws,

Yes, that is the usual domain they come from... I suspect it is a large ISP in France. I am tempted to block their entire IP block but I am not 100% sure that we do not have any legitimate customers who also use them.
 

WildWayz

Well-Known Member
Aug 14, 2001
209
0
316
I get LOADS of hack attempts from wandaloo.fr - and I have emailed them many, many times about it - each time they don't reply.

I believe wandaloo.fr is a HUGE ISP in France that owns Freeserve in the UK (from memory).

Also, I get a lot of people trying to ftp into my server using ftp/anonymous - but both of them are blocked, so they get denied.

--James
 

jumpdomain

Well-Known Member
Aug 12, 2001
109
0
316
Unless I am mistaken, anonymous FTP access to each IP based site is turned on by default when you create the account.

Anyone know an easy way to disable it so the user has to turn it on?
 

indiboi

Well-Known Member
Aug 14, 2001
89
0
306
i think that blocking the percentage of (possibly non existant) legitimate users is worth the risk with wandaloo.fr.
 

shawnvan

Registered
Nov 15, 2003
3
0
151
hosts.deny only applies to the services listed in /etc/inetd.conf
check that file to see what services are listed