ConfigServer Community Forum

My clientsarewhensendingfiles to theFTPis being blocked byportscan..
blocked for port scanning While using FTP to send files
see below

williamkevenis1 wrote:My clientsarewhensendingfiles to theFTPis being blocked byportscan..
blocked for port scanning While using FTP to send files
see below

Code: Select all

 lfd on domain: 187.65.106.56 (BR/Brazil/bb416a38.domain) blocked for port scanningTime:    Thu Jan  5 19:03:09 2012 -0200
IP:      187.65.106.56 (BR/Brazil/bb416a38.domain)
Hits:    6
Blocked: Temporary Block

Sample of block hits:
Jan  5 19:02:30 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=7134 DF PROTO=TCP SPT=57957 DPT=32672 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  5 19:02:33 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=7169 DF PROTO=TCP SPT=57957 DPT=32672 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  5 19:02:39 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=7287 DF PROTO=TCP SPT=57957 DPT=32672 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  5 19:02:55 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=7696 DF PROTO=TCP SPT=58041 DPT=55416 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  5 19:02:57 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=7727 DF PROTO=TCP SPT=58041 DPT=55416 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  5 19:03:04 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=7810 DF PROTO=TCP SPT=58041 DPT=55416 WINDOW=65535 RES=0x00 SYN URGP=0

I don't see any FTP ports in this log, all I see are ports like this "DPT=32672" or "DPT=55416" that the offending IP want to access. If you want to grant access to that ports (that I doubt you should) you need to include them in your TCP/IN or TCP/OUT config file. FTP port is 21.

Sergio

That would suggest FTP connection tracking is not working in your kernel and you will have to implement the open port workaround mentioned in the readme.txt

I have a similar problem, but only with one user so I'm not sure that "would suggest FTP connection tracking is not working in your kernel" is true.

I would like to point out one thing, though: "implement the open port workaround mentioned in the readme.txt" could be more helpful. I looked through the readme.txt and could not find the words "open port workaround" in any meaningful context.

What are you referring to as a workaround?

The problem is the new update FileZilla FTP client.

Is someone have a solution beacause its going to become increasingly stressfull.

------------------------

lfd on : 77.204.46.196 (FR/France/196.46.204.77 blocked for port scanning

My client is blocked after update FileZilla !

Time: Tue Jul 2 15:04:13 2013 +0200
IP: 77.204.46.196 (FR/France/196.46.204.77)
Hits: 11
Blocked: Temporary Block

Sample of block hits:
Jul 2 15:01:33 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=28745 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:01:34 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=10608 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:01:35 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=13339 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:01:36 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=44853 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:01:37 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=39970 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:01:38 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=25688 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:01:40 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=8756 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:01:45 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=19498 DF PROTO=TCP SPT=55781 DPT=62586 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:04:11 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=34969 DF PROTO=TCP SPT=55993 DPT=5384 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:04:12 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=6104 DF PROTO=TCP SPT=55993 DPT=5384 WINDOW=65535 RES=0x00 SYN URGP=0 Jul 2 15:04:12 mars kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:15:5d:22:d0:19:00:d0:00:d9:c4:00:08:00 SRC=77.204.46.196 DST=205.236.34.158 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=35723 DF PROTO=TCP SPT=55993 DPT=5384 WINDOW=65535 RES=0x00 SYN URGP=0