I am sure I am not the only one... I check our servers several times per day. Every now and then when I go in, I notice the load average is above 5.00 (Normal for our servers is below 1.00 with an occasional spike above 1.00). I then see a number of proftpd processes running using PS.
Thus, I then go to
vi /var/log/messages
To view the proftpd access messages and there are many coming from the same IP # hitting each IP on our server (We have over 100 IPs) several times per second.
Jan 24 11:06:31 ns proftpd[29644]: 55.77.55.98 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:31 ns proftpd[29645]: 55.77.55.99 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:32 ns proftpd[29646]: 55.77.55.100 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:33 ns proftpd[29654]: 55.77.55.101 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:35 ns proftpd[29655]: 55.77.55.102 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:38 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
Jan 24 11:06:38 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
Jan 24 11:06:50 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:50 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
I then drop the attacking IP by using
/sbin/route add -host 80.135.214.89 reject
where as 80.135.214.89 is the offending IP.
This stops the attack.
My question to you who may read this is, how can we stop this attack automatically before it happens?
Can't you do something in CPanel Nick, to stop these attacks or at least notify the server owner if the load average spikes above a certain level?
This type of attack is a security hazard as the attack is an attempt to access the server via proftpd.
Oh, and if you think this attack has not happend to you, think again. It is very common. Check your logs
vi /var/log/messages
Thus, I then go to
vi /var/log/messages
To view the proftpd access messages and there are many coming from the same IP # hitting each IP on our server (We have over 100 IPs) several times per second.
Jan 24 11:06:31 ns proftpd[29644]: 55.77.55.98 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:31 ns proftpd[29645]: 55.77.55.99 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:32 ns proftpd[29646]: 55.77.55.100 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:33 ns proftpd[29654]: 55.77.55.101 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:35 ns proftpd[29655]: 55.77.55.102 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:38 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
Jan 24 11:06:38 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
Jan 24 11:06:50 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:50 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
I then drop the attacking IP by using
/sbin/route add -host 80.135.214.89 reject
where as 80.135.214.89 is the offending IP.
This stops the attack.
My question to you who may read this is, how can we stop this attack automatically before it happens?
Can't you do something in CPanel Nick, to stop these attacks or at least notify the server owner if the load average spikes above a certain level?
This type of attack is a security hazard as the attack is an attempt to access the server via proftpd.
Oh, and if you think this attack has not happend to you, think again. It is very common. Check your logs
vi /var/log/messages