Hi folks,
I have found the following in my logs:
Wed Mar 10 15:52:33 2010 [pid 15232] [uploaduser] OK MKDIR: Client "195.200.70.*40*", "/04 LV gelieferte Daten 04_2010/04 LV Seiten/Jungz?chter" Wed Mar 10 15:52:33 2010 [pid 15231] [uploaduser] FAIL MKDIR: Client "195.200.70.*41*", "/04 LV gelieferte Daten 04_2010/04 LV Seiten/Jungz?chter" Wed Mar 10 15:52:36 2010 [pid 15232] [uploaduser] OK UPLOAD: Client "195.200.70.*40*", "/04 LV gelieferte Daten 04_2010/04 LV Seiten/Jungz?chter/Kooperationsseminar.doc", 23552 bytes, 13.89Kbyte/sec Wed Mar 10 15:52:37 2010 [pid 15231] [uploaduser] OK UPLOAD: Client "195.200.70.*41*", "/04 LV gelieferte Daten 04_2010/04 LV Seiten/Jungz?chter/Veranstaltungen der Jungz?chter im Jahr 2010.doc", 23552 bytes, 9.07Kbyte/sec Wed Mar 10 15:52:38 2010 [pid 15232] [uploaduser] OK UPLOAD: Client "195.200.70.*40*", "/04 LV gelieferte Daten 04_2010/04 LV Seiten/Jungz?chter/Foto Kooperationsseminar von laura weber.JPG", 13445 bytes, 9.90Kbyte/sec
What I am concerned about is the fact that the client sends out using various gateways at once. Is there some configuration item in VSFTPD which can prevent this and reject packets from the additional ip addresses?
Any hint or help is appreciated.
Dirk
Dirk H. Schulz wrote on Mon, 22 Mar 2010 13:41:50 +0100:
What I am concerned about is the fact that the client sends out using various gateways at once. Is there some configuration item in VSFTPD which can prevent this and reject packets from the additional ip addresses?
Note, this is not the same session, it's a different connect with the same user credentials. I don't see a problem with this. It's not a security problem and it's hardly a load problem. Users usually don't have more than one IP at their disposal at the same time. This is one of the few cases where this is different.
AFAIK, there is no option to allow only x logins per user, only x logins per IP. You could go to the vsftpd mailing list (if there is one) and ask about this additional feature.
Kai
Hi Kai,
Am 22.03.10 15:31, schrieb Kai Schaetzl:
Dirk H. Schulz wrote on Mon, 22 Mar 2010 13:41:50 +0100:
What I am concerned about is the fact that the client sends out using various gateways at once. Is there some configuration item in VSFTPD which can prevent this and reject packets from the additional ip addresses?
Note, this is not the same session, it's a different connect with the same user credentials. I don't see a problem with this. It's not a security problem and it's hardly a load problem. Users usually don't have more than one IP at their disposal at the same time. This is one of the few cases where this is different.
Thanks for the fast answer - and sorry for insisting. This
Wed Mar 10 15:52:33 2010 [pid 15232] [uploaduser] OK MKDIR: Client "195.200.70.40", "/04 LV gelieferte Daten 04_2010/04 LV Seiten/Jungz?chter" Wed Mar 10 15:52:33 2010 [pid 15231] [uploaduser] FAIL MKDIR: Client "195.200.70.41", "/04 LV gelieferte Daten 04_2010/04 LV Seiten/Jungz?chter"
makes me think that the same session with the same commands is "delivered" via 2 outgoing gateways, because it would be very complicated to have two ftp clients issue the same command in the same second. Know what I mean?
By the way, vsftpd seems not to handle this situation securely, so I want to prevent any occurance of it.
Dirk
Dirk H. Schulz wrote on Mon, 22 Mar 2010 15:41:55 +0100:
makes me think that the same session with the same commands is "delivered" via 2 outgoing gateways, because it would be very complicated to have two ftp clients issue the same command in the same second. Know what I mean?
No, I don't know. This is *one* client and I bet it's the dreaded Filezilla. It opens multiple parallel connections if you don't configure it correctly. And then it's just a matter of how your internet connection and gateway is setup. This is a big institution with a big IP range (whois.ripe.net). It's not your usual type of connection, but it's nothing wrong with it.
By the way, vsftpd seems not to handle this situation securely, so I want to prevent any occurance of it.
Again, what's the security problem here?
Kai
-
Dirk H. Schulz -
Kai Schaetzl