Hi,
I have a weird issue. Server has been running smoothly for a few years now.
But some weird issue occured today where I noticed alot of these from 1 IP:
kernel: nf_ct_ftp: dropping packetIN= OUT=eth1 SRC=<IP Address> DST=<IP Address>
LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=14581 DF PROTO=TCP SPT=21 DPT=42213
SEQ=6214852 ACK=4228557922 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=0 GID=0
The load on server went from being around 1.34 to 135 in matter of minutes.
After I blocked the IP it dropped again but then again another IP attacked the server and got the same message as per above.
I blocked that IP using csf -d [IP] and load dropped again.
How do I get it to autoblock these after a few hits or improve CSF to protect better against this?
Any ideas or have I misconfigured something somewhere?
nf_ct_ftp attack from various IPs kill server
-
sahostking
- Junior Member
- Posts: 45
- Joined: 29 May 2013, 19:07
- Location: Cape Town, South Africa
- Contact:
-
skatebored
- Junior Member
- Posts: 5
- Joined: 01 Apr 2011, 17:01
- Location: bsd city
- Contact:
Re: nf_ct_ftp attack from various IPs kill server
halu...
on those condition, consider to activate both connection limit and syn flood on csf.
if youre on shared hosting server environment, try to locate the target using netstat -anpl | grep #port
also discuss it with you upstream provider to help blocking the attack.
on those condition, consider to activate both connection limit and syn flood on csf.
if youre on shared hosting server environment, try to locate the target using netstat -anpl | grep #port
also discuss it with you upstream provider to help blocking the attack.