FTP port scans

[mpope2]

I have been noticing an increasing amount of &ftp port scans& (Don't know if that is the correct term, but it seems to explain it best). Anyways, in /var/log/messages I see the following:


May 23 12:40:08 bn1 proftpd[20025]: x.x.x.32 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20028]: x.x.x.109 (kbl-tnz6815.zeelandnet.nl[62
.238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20031]: x.x.x.108 (kbl-tnz6815.zeelandnet.nl[62
.238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20033]: x.x.x.73 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[20032]: x.x.x.106 (kbl-tnz6815.zeelandnet.nl[62
.238.58.211]) - FTP session opened.
May 23 12:40:08 bn1 proftpd[19988]: x.x.x.10 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session closed.
May 23 12:40:08 bn1 proftpd[20034]: x.x.x.16 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:11 bn1 proftpd[20035]: x.x.x.20 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session opened.
May 23 12:40:14 bn1 proftpd[19979]: x.x.x.59 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session closed.
May 23 12:40:15 bn1 proftpd[19982]: x.x.x.54 (kbl-tnz6815.zeelandnet.nl[62.
238.58.211]) - FTP session closed.

Whenever this happens, it causes the load to increase dramatically, from about 1.4 to 30.0 or so.

Anyone know how I can stop these scans? I do have portsentry running which I would assume would detect and drop these scans, but this does not seem to be the case. Also, from the looks of the log file, these ftp sessions are being opened successfully? This cannot be good as I would assume that this would be a security vulnerability.

This server is running Red Hat 7.1 with Cpanel / whm. Please help me fix this!

 

[rpmws]

I have been seeing the same thing for 2 years now and it agravates teh hell out of me. loads go from .05 to 3.00 . I tried blocking the IP but they just come back with another. I do know that the fewer teh IPs you have on one machine the better. A machine with 3 IPs has no problem

 

[mpope2]

There should be a way to prevent this. I am thinking portsentry should be able to detect sequential scanning of ftp ports, correct? Maybe we need to just get on those portsentry guys for a new feature! The particular machine that is having the most problems has around 150 IP addresses on it.

 

[rpmws]

The one I see it happen to has a full class c on it and FTP gets opened on all IPs in about 30 seconds.

 

[griz]

me too

I'm getting this too.

What about a script that runs on a 1 minute cron and checks for high server load? When the load spikes, the script kills all proftpd processes....any thoughts on this before I try it?

Griz

 

[griz]

re

the proftpd manual had a better answer:

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

 

[griz]

re

Just as a postscript on this issue.

I added the Maxinstances config to /etc/proftpd.conf yesterday, encountered another FTP DOS attack last night, and it worked beautifully.

Keeping my finger crossed that this is the answer. It appears to be so.

Griz

 

[bmcpanel]

I just witnessed sequential portscanning via proftpd bring my load average to above 30.00.

I am going to try this also.

 

[bmcpanel]

Seems to be working.