[tolo]

I have a situation where 20 students come into a school computer lab and log into my FTP server all at once. The first 13 students are able to log in fine. After #13, however, each subsequent log-in attempt is black-holed for 3-4 minutes. After that delay period, another 13 log-ins are possible.

Observations:
1) During that 3-4 minute delay period during which students log-ins fail, if I FTP in from a different IP address, I can log in fine.
2) If I FTP in 13 times from a command line on my PC, I too am black-holed on the 14th attempt.
3) If I FTP in from a command line on my server, I can log in any number of times without fail.

There seems to be something that is seeing multiple FTP log-ins from the same IP and timing out that IP address after 13 successful log-ins. Any idea what it might be?

[tolo]

Some additional info:

The described problem affects SSH as well (I cannot SSH in during this "outage" period either). So it is not a service specific issue. Rather, it appears to be a firewall (iptables?) issue. However, I have flushed my iptables so there are no rules and the problem persists.

In short, a given IP address is being black-holed after 13 connections, FTP or SSH. Given that I do not have the problem when FTPing from the server command line it seems that it only happens with connections made from outside the server.

[ChrisW]

Hi tolo, do you have any other intrusion detection systems set up on your server? There's a variety of IDS that can block excess connections from the same IP.

[tolo]

Quote:

Originally Posted by ChrisW

Hi tolo, do you have any other intrusion detection systems set up on your server? There's a variety of IDS that can block excess connections from the same IP.

That seems logical to me as well. However, I have a generic cPanel configuration with no known IDS add-ons. I thought Port Sentry might be causing this, but the problem persists after killing that. cpHulk does something similar with brute force attacks, but that should only affect unsuccessful log-ins. And it's not active anyway.

I thought maybe Spry had some sort of firewall upstream from my server, but they insist they do not. What I don't get is why I can log in any number of times from my server command line but get black-holed from my PC command line after 13 log-ins. That implies to me that something outside my server is blocking subsequent log-in attempts. Is there another way of viewing the evidence at hand?

Thanks for the discussion.

[ChrisW]

Do you experience the same problem from another location? One thought I had is that there could be something at the school's firewall that is causing this, or perhaps with the school's upstream provider.

[tolo]

Quote:

Originally Posted by ChrisW

Do you experience the same problem from another location? One thought I had is that there could be something at the school's firewall that is causing this, or perhaps with the school's upstream provider.

Initially we tried to pin this on the school network, but I get the same effect from my office PC using just a terminal command line. If I open 14 terminal windows and just even handshake the FTP server (without actually logging in) 13 times, the 14th connection will fail. Then 3-4 minutes later I can do another 13 connections. If, after the 13th FTP connection, I try to SSH in from the command line I get the same black hole (no response) effect. If I log in from a different IP I'm able to connect again immediately.

Also, during this 3-4 minute "outage" I can ping and traceroute to the server just fine.

So the evidence seems to point to some process that is monitoring incoming IP addresses for certain services (FTP/SSH/??) and interpreting 13+ successful attempts as an attack(?). I haven't found anything in the cPanel documentation that describes such a service and don't see anything unexpected using 'top'. Which is why I thought Spry was firewalling somehow, but they say no. Any other tests you can think of that would shed light on this? Thanks for the conversation.

[ChrisW]

Hmm.. Did we check to see what the connection limits on the services were? Which FTP server are you using?