ftp attacks on the rise

[cleonard]

Anyone else seeing a dramatic increase in ftp attacks on their servers from RU, KZ, UA, BR and BY over the past 24 hours. Typically the firewall blocks 4-5 IP's a day. In the past 24 hours it has thrown permanent blocks up over 800 different IP's from these countries on various servers I run.

Got to the point that I just ended up blocking the CC's.

Just curious if it was just me.

[cloudseeder]

No. It's not just you. The attacks are brutal at times. I, like you have ended up creating a much smaller Internet :-) for most services.

[Metro2]

Yeah same here, another big wave of FTP attacks happening like it did about 4 months ago or so. People who abuse the web and/or create malware are too stupid to realize that they're most likely hurting a friend or family member somewhere who works the web in some capacity. Hosting is a tough enough business already without having to spend hours each day mitigating attacks and us "little guys" out here are getting beat up, working long hours 7 days a week just to make an honest living, and then to have to deal with hackers / botnets / spammers / etc... on top of it is beyond frustrating. Sometimes it gets downright discouraging. I honestly don't think I'd even be in the business anymore if it weren't for ConfigServer's scripts to help me deal with it all.

[cloudseeder]

Given ipset functionality is there any reason we can't build a huge global deny list? Who's pushed the limits of ipset?

If we can't use our collective superior intelligence to defeat the bad guys I'm ready to go back to building walls to protect the kingdom. I've already walled off some services, first time since our IP addresses were announced (1994). Thank you csf/lfd.

[cloudseeder]

Given the recent wave (yet another) of Wordpress brute force login attacks I've seen I wanted to resurrect this thread. I have CSF configured to detect and block these attacks using custom mod_sec rules. I use a temp ban rule followed by a perm ban rule. The issue I'm having is that this botnet, and others like it, is so big that my temp to perm ban rules are rarely being invoked. Here's what I'm currently using:

• 5 failed logins = temp ban
  3 temp bans in a week = a perm ban

If we came together as a community to aggregate these botnet addresses we could help shut them down - quickly. Aggregation of information across my servers helps reduce the time it takes to identify bad behavior. Just think of the possibilities if the community (hundreds of thousands of us?) of lfd procs were sending their data to an intelligence engine. We could do much better than we do alone.

I wrote a simple bash script that lfd calls when it blocks an IP address. It sends the IP address, the reason and a few other bits to a central data collector. The data is stored in an sqlite db where the intelligence engine, currently a set of sql queries, can make decisions and take actions.

Tired of botnets? Any interest in helping me take this project to the next level?