2

Someone is continuously attacking my ftp servers. I observed the IPs he left, but running whois on all of them, I concluded that they are socks5 proxy servers. I even found the site where he is getting them (sockslist.net).

Can I somehow trace him through the proxy so I can get his real IP address and report it to his ISP?

Also, a friend of mine told me that the attacker might be using a VPN for protection, so I'd like to know if there is any way of tracing the connection through a VPN, as well.

HopelessN00b
  • 1,882
  • 3
  • 21
  • 29

5 Answers5

1

I think the posts above highlight valid points. You are highly unlikely to get anywhere with the tracing of these, and even if you do, you will not likely be able to get anything done about it.

The more proactive thing to do is to find ways to stop it happening and to ensure that your boxes are secure.

The environment I work in had a rule that said if we have sustained attacked (sustained in this instance defined as 10 or more attempts in an hour) we had to report it. This meant we were lodging hundreds of reports a week due to the large amount of people scanning our network. We discussed and decided to drop the reporting side of it as we were as confident as could be that our systems were secure and just had to accept we would be scanned / attempted.

Kip
  • 376
  • 3
  • 11
1

For HTTP, some proxies add some special HTTP header, like X-Forwarded-For, to specify the original IP address. If present, then its value should be used with care, as one can easily add a fake header and make it refer to some innocent person.

Such header won't help you when dealing with FTP (which does not have the notion of HTTP headers), but maybe the same proxy IP address is in your web server logs at about the same time. If so, then you still need to make your web server write the headers to the log, or at least this special header.

Arjan
  • 30,974
  • 14
  • 75
  • 112
0

The only way to trace something through a proxy/VPN is to gain access to the logs kept by that proxy, normally by contacting the owner, giving them a time and IP that was accessed (beware of time zones), and asking them to find out who was connected to you at that time. Some legitimate providers will help you with, for serious activity, most of the proxies/VPNs are on rooted machines, so no one will be keeping logs.

Most FTP servers will allow you to block someone after a number of failed login attempts, you might also be able to do the same from your firewall, depending on the configuration. The odds of you tracing this back to someone are almost zero, all you can do is check your machine hasn't been compromised, make sure your passwords are secure, and set up your server to block attackers.

Dentrasi
  • 11,155
  • 4
  • 27
  • 28
0

If they are SOCKS5 servers, there probably will not be any external fingerprints you can find in the FTP activity that comes to your FTP server. (Other protocols like SMTP have a couple clues). In other words, a SOCKS5 proxied connection strictly obeys the principle of "transparency".

(There could be very small, TCP-level clues, that are vendor specific, but this is unlikely).

How do you know they are SOCKS5 servers? (Are you able to connect to the servers with a client that support SOCKS5?). If they require authentication, then you should be able to work with the administrator of the proxy. If you cannot, you could ban traffic from that IP address.

The same could be said of a VPN, because they often have logging as well.

However, the most important question is the nature of the suspected proxy's administrator. If they are legitimate, you can work with them. (As administrators, they both have the responsibility and expertise to help you out). I find the problem description is unusual, most people are attacked via botnets, where many hijacked computers are the source of the traffic. In those cases, there is no administrative counter-party (unless it is a single company full of infected Windows desktops) that can help you.

benc
  • 1,322
  • 15
  • 22
0

As Kip suggest probably the best way to go with is just accepting your are being scanned and use iptables to drop the connections of the most attacking ips or use iptables modules to drop syn packages if connections from one ip come in too fast. I suppose the connection rates are pretty high so setting up an iptables rule keeping away those attackers without disturbing legitimate users should be easy.

Additionally if you are using proftpd you could use mod_delay to make it harder/slower for the attacker to scan you for good user names.

hurikhan77
  • 870
  • 2
  • 6
  • 13