Link to home
Start Free TrialLog in
Avatar of marvelsoft
marvelsoftFlag for Philippines

asked on

Prevent VSFTPD From Flooding Connection

Experts,

Is there a way to stop vsftpd from flooding connections?
This is the logs:

Jan 1 09:17:24 gateway vsftpd: (pam_unix) check pass; user unknown
Jan 1 09:17:24 gateway vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=xxx.xxx.xxx.xxx
Jan 1 09:17:27 gateway vsftpd: (pam_unix) check pass; user unknown
Jan 1 09:17:27 gateway vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=xxx.xxx.xxx.xxx
Jan 1 09:17:29 gateway vsftpd: (pam_unix) check pass; user unknown
Jan 1 09:17:29 gateway vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=xxx.xxx.xxx.xxx
Jan 1 09:17:32 gateway vsftpd: (pam_unix) check pass; user unknown
Jan 1 09:17:32 gateway vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=xxx.xxx.xxx.xxx
Jan 1 09:17:34 gateway vsftpd: (pam_unix) check pass; user unknown
Jan 1 09:17:34 gateway vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=xxx.xxx.xxx.xxx

Thanks:)

Avatar of Blaz
Blaz
Flag of Slovenia image

Are all this connections from a single IP address? In iptables you can limit the number of connections initiated from a single IP source in short ammount of time (adopted from http://www.webhostingtalk.com/archive/thread/456571-1.html):

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent   --set
iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent   --update --seconds 60 --hitcount 4 -j DROP

This will limit incoming connections to port 21 to no more than 3 attemps in a minute. Any more will be dropped.


Avatar of marvelsoft

ASKER

Yes that will block after a successful of 3 counts but still it continuously loops a connections anonymously which bring of affects your bandwidth by the that way.
I don't quite understand what you mean by "it continuously loops a connections anonymously"

You can't control what tcp connection request packets your server receives unless your ISP filters such packets before they get to your server. And this are the only packets that consume your bandwidth (very little bandwidth) apart from first 3 attempts.

If you always receive the requests from the same IP addresses you can create a blacklist - that way you also eliminate the first 3 attempts.

I can't think of a more bandwidth friendlier solution.
I already tried blocking it using:

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent   --set
iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent   --update --seconds 60 --hitcount 4 -j DROP

and it works.

After I implement this and check the auth.log still the looping connection still there and looping after 3 seconds (see logs above). I think they are using a software that floods the FTP Server.
ASKER CERTIFIED SOLUTION
Avatar of Blaz
Blaz
Flag of Slovenia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial