controlling proftpd..

2025-04-01

Hi,

The last couple days one of my servers have undergone what looks like to be a DOS attack
--------------------------------------------------------
un 8 03:32:52 UNIVEX2 proftpd[20501]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20503]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20502]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20505]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20504]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:52 UNIVEX2 proftpd[20501]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20502]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20503]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20504]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:52 UNIVEX2 proftpd[20505]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
Jun 8 03:32:53 UNIVEX2 proftpd[20491]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session opened.
Jun 8 03:32:53 UNIVEX2 proftpd[20491]: UNIVEX2.GWISN.COM (w9.trgsh.tp.edu.tw[140.109.212.9]) - FTP session closed.
-------------------------------------------------------------------
etc .etc. etc.

Anyways, I have pam limits running, along with portsentry (Which doesn't seem to do anything to protect against this). So I am just wondering if anyone knows how to block access to an IP that is 'hammering' the server. Trying to login/logout very quickly in short time periods. I know there is hammering protection in other ftp programs for windows and such. But am trying to find something similiar for proftpd. If ANYONE can help me out. I would really really realllly appreciate it!

Thanks!