-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-24 at 10:15 -0400, James Knott wrote:
I am experiencing an excessive load from the internet that looks like some kind of attack. The log entries that repeat over and over are:
Apr 22 11:14:54 bonza proftpd[10488]: bonza.rbpllc.com (216.101.241.110[216.101.241.110]) - FTP session opened. Apr 22 11:14:54 bonza proftpd[10488]: bonza.rbpllc.com (216.101.241.110[216.101.241.110]) - no such user 'alexander'
A dictionary attack to the ftp server, I guess. The incomming address does not resolve, thus the secondary error: cer@nimrodel:~> host 216.101.241.110 Host 110.241.101.216.in-addr.arpa not found: 2(SERVFAIL) but: cer@nimrodel:~> whois 216.101.241.110 SBC Internet Services SBCIS-SIS80 (NET-216-100-0-0-1) 216.100.0.0 - 216.103.255.255 Barracuda Networks SBC21610124100024051011130804 (NET-216-101-241-0-1) 216.101.241.0 - 216.101.241.255 # ARIN WHOIS database, last updated 2007-04-23 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. c
The biggest question is what can I do to stop this?? Is there an effective firewall rule or IP table recipe that will help?? The load caused the server to lock up last night causing a great deal of havoc. Any wise advise would be welcomed.
Do you actually have an FTP server available? If so, you may want to consider a more secure method such as sftp or scp. If not, your firewall should be configured to block all such attempts. If you need to have the server available, you can configure the firewall to restrict the acceptable addresses or block known hostile sites. Without knowing more about your situation, I can't be more specific.
It is also possible, when using susefirewall, to restrict the number of connections attempts to a port. Look at the "FW_SERVICES_ACCEPT_EXT" entry: ## Type: string ## Default: # # Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP} # and more specific than FW_TRUSTED_NETS # # Format: space separated list of net,protocol[,dport[,sport[,flags]]] # Example: "0/0,tcp,22" # # Supported flags are # hitcount=NUMBER : ipt_recent --hitcount parameter # blockseconds=NUMBER : ipt_recent --seconds parameter # recentname=NAME : ipt_recent --name parameter # Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # FW_SERVICES_ACCEPT_EXT="0/0,tcp,21,,hitcount=3,blockseconds=60,recentname=ftp" - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGLhbutTMYHG2NR9URAtDcAJ4rpQZ3Xj0GtOwoaCEtYWAU/WeTCwCdHVl3 eGSvmOF4QE2HQRPobvAZUOA= =uDBD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org