nf_ct_ftp attack from various IPs kill server
Posted: 27 Sep 2014, 21:05
Hi,
I have a weird issue. Server has been running smoothly for a few years now.
But some weird issue occured today where I noticed alot of these from 1 IP:
kernel: nf_ct_ftp: dropping packetIN= OUT=eth1 SRC=<IP Address> DST=<IP Address>
LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=14581 DF PROTO=TCP SPT=21 DPT=42213
SEQ=6214852 ACK=4228557922 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=0 GID=0
The load on server went from being around 1.34 to 135 in matter of minutes.
After I blocked the IP it dropped again but then again another IP attacked the server and got the same message as per above.
I blocked that IP using csf -d [IP] and load dropped again.
How do I get it to autoblock these after a few hits or improve CSF to protect better against this?
Any ideas or have I misconfigured something somewhere?
I have a weird issue. Server has been running smoothly for a few years now.
But some weird issue occured today where I noticed alot of these from 1 IP:
kernel: nf_ct_ftp: dropping packetIN= OUT=eth1 SRC=<IP Address> DST=<IP Address>
LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=14581 DF PROTO=TCP SPT=21 DPT=42213
SEQ=6214852 ACK=4228557922 WINDOW=115 RES=0x00 ACK PSH URGP=0 UID=0 GID=0
The load on server went from being around 1.34 to 135 in matter of minutes.
After I blocked the IP it dropped again but then again another IP attacked the server and got the same message as per above.
I blocked that IP using csf -d [IP] and load dropped again.
How do I get it to autoblock these after a few hits or improve CSF to protect better against this?
Any ideas or have I misconfigured something somewhere?