Jump to content

Clientes blocked port scanner usando FTP


Guest

Recommended Posts

Vejam abaixo, alguns clientes ao enviar arquivos via filezilla/ftp estão sendo bloqueados por port scan..

Alguem sabe o que é isso?

lfd on srv.hostalagoas.com.br: 187.65.106.56 (BR/Brazil/bb416a38.virtua.com.br) blocked for port scanning

Time:    Thu Jan  5 18:40:34 2012 -0200

IP:      187.65.106.56 (BR/Brazil/bb416a38.virtua.com.br)

Hits:    6

Blocked: Temporary Block


Sample of block hits:

Jan  5 18:40:07 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=12906 DF PROTO=TCP SPT=58623 DPT=40689 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  5 18:40:10 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=13050 DF PROTO=TCP SPT=58623 DPT=40689 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  5 18:40:16 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13214 DF PROTO=TCP SPT=58623 DPT=40689 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  5 18:40:21 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=13301 DF PROTO=TCP SPT=58861 DPT=44186 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  5 18:40:24 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=13330 DF PROTO=TCP SPT=58861 DPT=44186 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  5 18:40:30 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.106.56 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13416 DF PROTO=TCP SPT=58861 DPT=44186 WINDOW=65535 RES=0x00 SYN URGP=0

Link to comment
Share on other sites

O FTP tem como padrao limite de 8 conexoes, gerelamente o povo que usa filezilla coloca mais de 8 conexoes, entao o Filezilla tenta novas conexoes até atingir o limite configurado nele, como o FTP nao libera a conexao, o CSF entende como portscan.

Eu sempre recomendo aos meus clientes nao usar mais de 5 conexoes no Filezilla, pois caso haja algum problema de mal fechamento de 1 conexao, o Filezilla abre outra podendo atingir o limite e ser bloqueado.

Link to comment
Share on other sites

Time: Thu Jan 12 12:38:44 2012 -0200

IP: 187.65.72.54 (BR/Brazil/bb414836.virtua.com.br)

Hits: 21

Blocked: Temporary Block

Sample of block hits:

Jan 12 12:32:27 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21281 DF PROTO=TCP SPT=2110 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:32:29 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21282 DF PROTO=TCP SPT=2110 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:32:35 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21311 DF PROTO=TCP SPT=2110 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:33:27 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21669 DF PROTO=TCP SPT=2121 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:33:30 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21671 DF PROTO=TCP SPT=2121 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:33:36 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21675 DF PROTO=TCP SPT=2121 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:34:28 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21799 DF PROTO=TCP SPT=2125 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:34:31 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=21800 DF PROTO=TCP SPT=2125 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:34:37 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=22039 DF PROTO=TCP SPT=2125 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:35:29 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=22501 DF PROTO=TCP SPT=2132 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:35:32 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=22502 DF PROTO=TCP SPT=2132 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:35:38 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=22518 DF PROTO=TCP SPT=2132 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:36:30 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=23330 DF PROTO=TCP SPT=2136 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:36:33 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=23331 DF PROTO=TCP SPT=2136 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:36:39 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=23405 DF PROTO=TCP SPT=2136 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:37:31 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=24270 DF PROTO=TCP SPT=2141 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:37:34 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=24271 DF PROTO=TCP SPT=2141 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:37:40 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=24532 DF PROTO=TCP SPT=2141 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:38:32 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25113 DF PROTO=TCP SPT=2149 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:38:35 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25114 DF PROTO=TCP SPT=2149 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 12 12:38:41 srv kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:54:d6:7a:00:15:2b:28:18:00:08:00 SRC=187.65.72.54 DST=63.143.32.72 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25222 DF PROTO=TCP SPT=2149 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Link to comment
Share on other sites

talvez seja possivel criar um cron que faça a limpeza de Ips bloqueados cada x minutos

Neste caso, seria apenas uma gambiarra. Ideal é investigar para saber o que está ocorrendo, já que não é normal um cliente ser bloqueado porque está utilizando o FTP com um número menor de conexões que 8.

Link to comment
Share on other sites

E como isso poderia se resolvido?

Este bloqueio não está relacionado ao FTP, está relacionado ao MySQL, veja no log DPT=3306 ou seja a porta do MySQL....

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

Do you agree with our terms?