The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP port scans

Discussion in 'General Discussion' started by mpope2, May 24, 2002.

  1. mpope2

    mpope2 Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    I have been noticing an increasing amount of &ftp port scans& (Don't know if that is the correct term, but it seems to explain it best). Anyways, in /var/log/messages I see the following:


    May 23 12:40:08 bn1 proftpd[20025]: x.x.x.32 (kbl-tnz6815.zeelandnet.nl[62.
    238.58.211]) - FTP session opened.
    May 23 12:40:08 bn1 proftpd[20028]: x.x.x.109 (kbl-tnz6815.zeelandnet.nl[62
    .238.58.211]) - FTP session opened.
    May 23 12:40:08 bn1 proftpd[20031]: x.x.x.108 (kbl-tnz6815.zeelandnet.nl[62
    .238.58.211]) - FTP session opened.
    May 23 12:40:08 bn1 proftpd[20033]: x.x.x.73 (kbl-tnz6815.zeelandnet.nl[62.
    238.58.211]) - FTP session opened.
    May 23 12:40:08 bn1 proftpd[20032]: x.x.x.106 (kbl-tnz6815.zeelandnet.nl[62
    .238.58.211]) - FTP session opened.
    May 23 12:40:08 bn1 proftpd[19988]: x.x.x.10 (kbl-tnz6815.zeelandnet.nl[62.
    238.58.211]) - FTP session closed.
    May 23 12:40:08 bn1 proftpd[20034]: x.x.x.16 (kbl-tnz6815.zeelandnet.nl[62.
    238.58.211]) - FTP session opened.
    May 23 12:40:11 bn1 proftpd[20035]: x.x.x.20 (kbl-tnz6815.zeelandnet.nl[62.
    238.58.211]) - FTP session opened.
    May 23 12:40:14 bn1 proftpd[19979]: x.x.x.59 (kbl-tnz6815.zeelandnet.nl[62.
    238.58.211]) - FTP session closed.
    May 23 12:40:15 bn1 proftpd[19982]: x.x.x.54 (kbl-tnz6815.zeelandnet.nl[62.
    238.58.211]) - FTP session closed.

    Whenever this happens, it causes the load to increase dramatically, from about 1.4 to 30.0 or so.

    Anyone know how I can stop these scans? I do have portsentry running which I would assume would detect and drop these scans, but this does not seem to be the case. Also, from the looks of the log file, these ftp sessions are being opened successfully? This cannot be good as I would assume that this would be a security vulnerability.

    This server is running Red Hat 7.1 with Cpanel / whm. Please help me fix this!
     
  2. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I have been seeing the same thing for 2 years now and it agravates teh hell out of me. loads go from .05 to 3.00 . I tried blocking the IP but they just come back with another. I do know that the fewer teh IPs you have on one machine the better. A machine with 3 IPs has no problem :)
     
  3. mpope2

    mpope2 Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    There should be a way to prevent this. I am thinking portsentry should be able to detect sequential scanning of ftp ports, correct? Maybe we need to just get on those portsentry guys for a new feature! The particular machine that is having the most problems has around 150 IP addresses on it.
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    The one I see it happen to has a full class c on it and FTP gets opened on all IPs in about 30 seconds. :(
     
  5. griz

    griz Well-Known Member

    Joined:
    Dec 29, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    me too

    I'm getting this too.

    What about a script that runs on a 1 minute cron and checks for high server load? When the load spikes, the script kills all proftpd processes....any thoughts on this before I try it?

    Griz
     
  6. griz

    griz Well-Known Member

    Joined:
    Dec 29, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    re

    the proftpd manual had a better answer:

    # To prevent DoS attacks, set the maximum number of child processes
    # to 30. If you need to allow more than 30 concurrent connections
    # at once, simply increase this value. Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances 30
     
  7. griz

    griz Well-Known Member

    Joined:
    Dec 29, 2001
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    re

    Just as a postscript on this issue.

    I added the Maxinstances config to /etc/proftpd.conf yesterday, encountered another FTP DOS attack last night, and it worked beautifully.

    Keeping my finger crossed that this is the answer. It appears to be so.

    Griz
     
  8. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I just witnessed sequential portscanning via proftpd bring my load average to above 30.00.

    I am going to try this also.
     
  9. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Seems to be working.
     
Loading...

Share This Page