large spike in pure-ftpd attacks

Yeah - i got a significant spike coming out of China. Distributed IP's too.

 

It can be done but I don't find it particularly useful for most attacks. Generally you'll see distributed attacks nowadays, though of course there are exceptions where it can be useful. Personally I find it to do more harm than good, but CSF has a setting for it if you want to try it out:

Code:

# Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK  to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same network class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"

If I were going to use this I would recommend setting LF_NETBLOCK to 1 to enable it, leaving the other settings intact as above except for LF_NETBLOCK_COUNT which I would set to 10 or so. That way if 10 IPs in one class C are blocked, the whole class C gets blocked.

 

I have had some reports from customers where they are getting an error that the FTP server says "Max of 50 users" and isn't letting them connect. This is when I found the spike of brute force attacks taking place. The bad guys are definitely using distributed IPs and are purposely throttling their password guessing, staying under the radar. I have CSF set to block IPs after a certain number of incorrect login attempts, and they are staying under that level. I've lowered the level at which I block, and also have had to increase the max FTP users to 75 in the pure-ftpd config in WHM.

- Scott