Help with ftp-server security

zepplin611 · 07-18-2004, 02:25 PM

I am running an anonymous ftp server...accessible from only specific sites that I allow. These
sites are few enough to manually change on any kind of a temporal basis that I choose.

I was pouring over the logs recently and found:

Jul 11 08:58:14 ser xinetd[29270]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:14 ser xinetd[29271]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:15 ser xinetd[29272]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:15 ser xinetd[29273]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:15 ser xinetd[29274]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:15 ser xinetd[29275]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:16 ser xinetd[29276]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:16 ser xinetd[29277]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:16 ser xinetd[29278]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:16 ser xinetd[29279]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:17 ser xinetd[29280]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:17 ser xinetd[29281]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:17 ser xinetd[29282]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:18 ser xinetd[29283]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:18 ser xinetd[29284]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:18 ser xinetd[29285]: FAIL: ftp libwrap from=212.202.30.202
Jul 11 08:58:18 ser xinetd[29286]: FAIL: ftp libwrap from=212.202.30.202

It seems that many attempts to ftp to my server are being made from the listed IP address...

My question is, if these attempts were to increase in frequency (I.E. 1000's per minute), could
this shut down my server?? (i.e. DoS attack) What can i do to prevent this from happening (that
is, besides contacting the ISP of the server that is being refused by libwrap)?

What should i be most worried about here???

thanks

zepp

ilikejam · 07-18-2004, 05:21 PM

Hi.

Yes, if the frequency does get a lot higher, it could cause a DoS. I would first make sure your firewall is properly locked down (just in case your attacker decides to look for other ways to attack).
Next I would get your firewall to silently drop all packets from that IP, so that your machine becomes invisible to him. If he's really serious about the attack, this won't make a whole lot of difference, but losing sight of your machine could be enough to make him stop, thinking you're offline.
If it does turn into a DoS, get your ISP to drop any packets from his IP for you - your ISP will be better equipped to deal with an attack than you in terms of bandwidth and processing time to do the filtering.
I would send a copy of your logs to his ISP too, if things get worse.

Dave

zepplin611 · 07-18-2004, 07:22 PM

thanks for the help dave...

currently, when I type iptables -L

[root@ser log]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:ssh

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

This indicates all IN/OUT/FOR are by natural policy dropped...with only specific ssh connections
allowed through the assistance of tcp-wrappers (hosts.allow/deny).

It seems i've blocked him from getting in...but generally, what should i say in the emails to
their ISP or the abuse email address???

what is the best way to get some info on someone from their ip-address??

i've done: whois -v and nslookup anything else??

thanks again.

ilikejam · 07-18-2004, 08:22 PM

Hi again.

Was/is the attack sustained for a length of time, or was it just what you posted in the first post? It could be an automated scan if he only hit your site for a short time, in which case he's probably just testing your security and will move on once he sees your security's OK.

I'm not really an expert on iptables, but it actually looks like you're accepting connections from anywhere (the rules are examined in order, so you're accepting new connections with
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
) as I said I'm not an expert, so don't take my word for it. I'd test your firewall at grc.com to see what an external party can see. Go to:
https://grc.com/x/ne.dll?bh0bkyd2
click continue, then click 'all service ports' and see what the results are.

'host' is a good tool for doing IP lookups. I've had a look myself, and I get the following from 'host 212.202.30.202':

Code:

202.30.202.212.in-addr.arpa domain name pointer port-212-202-30-202.dynamic.qsc.de.

Doing a whois on qsc.de gives:

Code:

[Querying whois.denic.de]
[whois.denic.de]
domain:      qsc.de
status:      connect

which is pretty un-useful. Looks like the domain has been registered with no information.

Doing 'traceroute 212.202.30.202' gives:

Code:

traceroute to 202.30.202.212 (202.30.202.212), 30 hops max, 38 byte packets
 1  router (192.168.0.1)  0.772 ms  0.650 ms  0.672 ms
 2  81-86-224-1.dsl.pipex.com (81.86.224.1)  29.276 ms  24.837 ms  25.030 ms
 3  eth3-1.cr1.uk5.systems.pipex.net (62.241.161.41)  25.857 ms  25.772 ms  24.1      08 ms
 4  ge-1-2-0.cr1.gs1.systems.pipex.net (62.241.161.97)  25.832 ms  25.014 ms  25      .607 ms
 5  flag.xchangepoint.net (217.79.160.102)  25.830 ms  25.759 ms  26.332 ms
 6  62.216.129.26 (62.216.129.26)  26.565 ms  25.540 ms  25.845 ms
 7  so-2-1-0.0.core1.ldn1.flagtel.com (62.216.128.65)  25.591 ms  25.498 ms  25.      831 ms
 8  ge-1-0-1.0.core2.ldn1.flagtel.com (62.216.128.58)  30.543 ms  27.109 ms  27.      321 ms
     MPLS Label=104288 CoS=3 TTL=1 S=0
 9  so-2-0-0.0.core1.hkg3.flagtel.com (62.216.128.222)  236.281 ms  234.835 ms        235.543 ms
     MPLS Label=102496 CoS=3 TTL=1 S=0
10  ge-1-0-0.0.core2.hkg3.flagtel.com (62.216.128.118)  234.658 ms  232.762 ms        241.914 ms
11  so-0-3-0.0.core1.seo3.flagtel.com (62.216.128.141)  268.800 ms  268.476 ms        267.827 ms
12  ge-0-0-0.0.core1.seo2.flagtel.com (62.216.138.14)  268.769 ms  269.922 ms  2      67.816 ms
13  *

this is the traceroute to whoever currently has 212.202.30.202, so if it's a dynamic IP, then it might not be him (in fact, the traceroute never gets to its destination, so he's either off-line, or is hiding behind a firewall which is dropping packets.) This shows that the last machine reached is at flagtel.com, so he's probably (if he's still using that IP) on the same network as flagtel.com. Try a whois on flagtel.com and see if you can find out who their ISP or registrar is. As I said, those results are for whoever has 212.202.30.202 at the moment, so do those steps while you're under attack using the IP you're under attack from to find out where he is.

As for what to say to his ISP, I don't really know. Depending on who the ISP is, they may not even care. I would give them a sample of the logs to demonstrate what you're experiencing. If your ISP is worth its subscription, they may well be able to help. I would speak to them if you don't get any joy from his ISP. I would also bear in mind that abuse@isp.com emails often get ignored, so try going though their customer service channels too if that's the case.

Dave

zepplin611 · 07-20-2004, 05:56 PM

thanks for the help ilikejam....the ACCEPT ALL flags on my iptables report is for the loop-back
device...need that. The Default policy is to drop all for the INPUT, FORWARD and OUTPUT..with
the allotted acceptions listed.

your advice on the ISP bit is useful...ya' gotta figure ISP's get many reports of abuse...ones where it
occurs and where it actually isn't. I've emailed them and haven't heard a thing for 3 days now...

all you can do is be vigilant, right?

thanks again...

unSpawn · 07-22-2004, 06:30 PM

BTW, Xinetd does have rate limiting caps itself. Find the URI in the LQ FAQ: Security references.