Shorewall users - Jun 2006 - Thousands of ftp requests/login attempts from IP's

Hi,

Over the past couple of weeks I''ve been receiving
these:

Jun 30 23:38:12 server proftpd[21161]: www.example.com
(64.246.22.6[64.246.22.6]) - FTP session closed.
Jun 30 23:38:12 server proftpd[21168]: www.example.com
(64.246.22.6[64.246.22.6]) - FTP session opened.
Jun 30 23:38:12 server proftpd[21169]: www.example.com
(64.246.22.6[64.246.22.6]) - FTP session opened.
Jun 30 23:38:12 server proftpd[21163]: www.example.com
(64.246.22.6[64.246.22.6]) - no such user
''Administrator''
Jun 30 23:38:12 server proftpd[21171]: www.example.com
(64.246.22.6[64.246.22.6]) - FTP session opened.
Jun 30 23:38:12 server proftpd[21162]: www.example.com
(64.246.22.6[64.246.22.6]) - no such user
''Administrator''

continually every second. The IP''s that have done this
are:

60.195.251.146/32
64.246.22.6/32
202.51.30.170/32
218.22.167.94/32

I''ve emailed the abuse addresses of these networks
reporting this denial of service activity and have
blacklisted those IP''s within shorewall.

What else can I do to guard against this type of
activity?

Also, as I check my logs manually for these, if
there''s an automated system / script I could use (like
denyhosts?) which would automatically detect this type
of DOS and blacklist the IP I''d love to know?

Thanks.

Michael.



		
____________________________________________________ 
Do you Yahoo!? 
Check out gigs in your area on the comprehensive
Yahoo! Music Gig Guide 
http://au.music.yahoo.com/gig-guide


		
____________________________________________________
The LOST Ninja blog: Exclusive clues, clips and gossip. 
http://au.blogs.yahoo.com/lostninja 


Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Michael Mansour wrote:
> Hi,
> 
> Over the past couple of weeks I''ve been receiving
> these:
> 
> continually every second.
> What else can I do to guard against this type of
> activity?
I suggest using the Limit action --
http://www.shorewall.net/PortKnocking.html#id2460417

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi Tom.

I looked at that link.
I currently use this (in the "rules" file)
ACCEPT        net       $FW             tcp     ssh     -               -
2/min:4

This seems to work. How does this compare?
Should I change?

/Kristian. 

-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom
Eastep
Sent: 30. juni 2006 21:26
To: Shorewall Users
Subject: Re: [Shorewall-users] Thousands of ftp requests/login attempts from
IP''s

Michael Mansour wrote:
> Hi,
> 
> Over the past couple of weeks I''ve been receiving
> these:
> 
> continually every second.
> What else can I do to guard against this type of
> activity?
I suggest using the Limit action --
http://www.shorewall.net/PortKnocking.html#id2460417

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

K wrote:
> Hi Tom.
> 
> I looked at that link.
> I currently use this (in the "rules" file)
> ACCEPT        net       $FW             tcp     ssh     -               -
> 2/min:4
> 
> This seems to work. How does this compare?
> Should I change?
Your rule limits SSH connections to 2/min TOTAL. The Limit action limits
connections on a per-IP address basis.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Fri, 2006-06-30 at 12:48 -0700, Tom Eastep wrote:
> K wrote:
> > I looked at that link.
> > I currently use this (in the "rules" file)
> > ACCEPT        net       $FW             tcp     ssh     -             
-
> > 2/min:4
> > 
> > This seems to work. How does this compare?
> > Should I change?
> 
> Your rule limits SSH connections to 2/min TOTAL. The Limit action limits
> connections on a per-IP address basis.
Maybe stating the obvious here, but...

Yes, you should change (taken with a grain of salt regarding your use
case). The issue with your rule is, that it is global -- which means,
while there is an ongoing brute force attempt, this effectively DoS''s
your SSH server and does not accept connections by you either. Of course
this makes an DoS attempt way more easy and cheap, too.

The advantage of the Limit Action is, that it restricts connection
attempts on a per IP basis -- so even while the attackers packets will
be dropped, you still can remotely login to that machine.


On a personal note: The generic Limit SSH example by Tom seriously kicks
ass and works perfectly. It is fun to watch all those lousy attempts
stopping after the first few tries...

 Karsten


-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      http://www.chiark.greenend.org.uk/~sgtatham/bugs.html


Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Karsten Bräckelmann escribió:
> On a personal note: The generic Limit SSH example by Tom seriously kicks
> ass and works perfectly. It is fun to watch all those lousy attempts
> stopping after the first few tries...
> 
Indeed :) it is working perfectly here too ;-)




Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642