ConfigServer Community Forum

Im seeing a BUNCH of distributed FTP attacks - they started a few weeks ago - for a time I disabled FTP - then I renabled it and now they are back

They are attempting to login using ADMIN and USER accounts - which of course dont exist
They may be referring to default windows accounts not sure but they dont exist in cpanel linux servers

Im wondering if its possible to block IPs as soon as they start attempting to access these accounts

THat may save some resources and cut them off sooner ... What do you think ?

We've suffered similar attacks recently. As we are in the UK and so are our hosting clients, we used the CC_ALLOW_PORTS feature on our hosting servers and restricted access to only the UK for port 21 and removed it from the TCP_IN list. This resulted in a period of sustained blocks after which they went away and things settled down overnight. We'll lift the restrictions again once we're sure it's gone.

EXCELLENT !!
You rock !!

Just like you All my FTP customers will be in US - this is great solution and there should only be limited reasons if any to ever remove it in my case
My only worry is in 2 years If its blocking something will I remember what I did and why ... ;-)
Maybe add a changes notes field to CSF ;-)

Thanks

ok Ive screwed something up

since I made this change CSF wont restart

iptables: Unknown error 4294967295
CC_ALLOWP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
Error: Error processing command for line [1660] (6 times): [iptables: Unknown error 4294967295], at line 1660

undoing yesterdays changes fixed the iptables error
but now Im seeing

"Jun 26 16:04:27 entropy kernel: allocation failed: out of vmalloc space - use vmalloc=<size> to increase size."
Which appears also to be related to IPtables