Results 1 to 7 of 7

Thread: FTP time-outs?

  1. #1
    Junior Member Newbie
    Join Date
    Jan 2012
    Posts
    4

    Default FTP time-outs?

    I have a situation where 20 students come into a school computer lab and log into my FTP server all at once. The first 13 students are able to log in fine. After #13, however, each subsequent log-in attempt is black-holed for 3-4 minutes. After that delay period, another 13 log-ins are possible.

    Observations:
    1) During that 3-4 minute delay period during which students log-ins fail, if I FTP in from a different IP address, I can log in fine.
    2) If I FTP in 13 times from a command line on my PC, I too am black-holed on the 14th attempt.
    3) If I FTP in from a command line on my server, I can log in any number of times without fail.

    There seems to be something that is seeing multiple FTP log-ins from the same IP and timing out that IP address after 13 successful log-ins. Any idea what it might be?

  2. #2
    Junior Member Newbie
    Join Date
    Jan 2012
    Posts
    4

    Default FTP time out additional info

    Some additional info:

    The described problem affects SSH as well (I cannot SSH in during this "outage" period either). So it is not a service specific issue. Rather, it appears to be a firewall (iptables?) issue. However, I have flushed my iptables so there are no rules and the problem persists.

    In short, a given IP address is being black-holed after 13 connections, FTP or SSH. Given that I do not have the problem when FTPing from the server command line it seems that it only happens with connections made from outside the server.

  3. #3
    Moderator Newbie
    Join Date
    Dec 2010
    Location
    Rohnert Park, CA
    Posts
    54

    Default

    Hi tolo, do you have any other intrusion detection systems set up on your server? There's a variety of IDS that can block excess connections from the same IP.

  4. #4
    Junior Member Newbie
    Join Date
    Jan 2012
    Posts
    4

    Default

    Quote Originally Posted by ChrisW View Post
    Hi tolo, do you have any other intrusion detection systems set up on your server? There's a variety of IDS that can block excess connections from the same IP.
    That seems logical to me as well. However, I have a generic cPanel configuration with no known IDS add-ons. I thought Port Sentry might be causing this, but the problem persists after killing that. cpHulk does something similar with brute force attacks, but that should only affect unsuccessful log-ins. And it's not active anyway.

    I thought maybe Spry had some sort of firewall upstream from my server, but they insist they do not. What I don't get is why I can log in any number of times from my server command line but get black-holed from my PC command line after 13 log-ins. That implies to me that something outside my server is blocking subsequent log-in attempts. Is there another way of viewing the evidence at hand?

    Thanks for the discussion.
    Last edited by tolo; 01-26-2012 at 11:34 AM.

  5. #5
    Moderator Newbie
    Join Date
    Dec 2010
    Location
    Rohnert Park, CA
    Posts
    54

    Default

    Do you experience the same problem from another location? One thought I had is that there could be something at the school's firewall that is causing this, or perhaps with the school's upstream provider.

  6. #6
    Junior Member Newbie
    Join Date
    Jan 2012
    Posts
    4

    Default School Network

    Quote Originally Posted by ChrisW View Post
    Do you experience the same problem from another location? One thought I had is that there could be something at the school's firewall that is causing this, or perhaps with the school's upstream provider.
    Initially we tried to pin this on the school network, but I get the same effect from my office PC using just a terminal command line. If I open 14 terminal windows and just even handshake the FTP server (without actually logging in) 13 times, the 14th connection will fail. Then 3-4 minutes later I can do another 13 connections. If, after the 13th FTP connection, I try to SSH in from the command line I get the same black hole (no response) effect. If I log in from a different IP I'm able to connect again immediately.

    Also, during this 3-4 minute "outage" I can ping and traceroute to the server just fine.

    So the evidence seems to point to some process that is monitoring incoming IP addresses for certain services (FTP/SSH/??) and interpreting 13+ successful attempts as an attack(?). I haven't found anything in the cPanel documentation that describes such a service and don't see anything unexpected using 'top'. Which is why I thought Spry was firewalling somehow, but they say no. Any other tests you can think of that would shed light on this? Thanks for the conversation.

  7. #7
    Moderator Newbie
    Join Date
    Dec 2010
    Location
    Rohnert Park, CA
    Posts
    54

    Default

    Hmm.. Did we check to see what the connection limits on the services were? Which FTP server are you using?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •