[ydl-gen] Attempted hack of FTP server

Tue Aug 29 00:45:41 MDT 2006

Christopher Murtagh wrote:

>On 8/28/06, Eric Dunbar <eric.dunbar at gmail.com> wrote:
>  
>
>>I recently activated vsftpd on my server and I'm noticing statistics
>>in the daily server report (automagically sent to root by all servers)
>>that suggest someone's trying a dictionary attack (presumably) on my
>>ftp server (10000+ login attempts ;-).
>>    
>>
>
>Welcome to the world of having a publicly facing machine. :-(
>You'll probably get piles of ssh attempts too, and lots of other
>things, many of which aren't even Linux related.
>
>  
>
>>1. Will the firewall provide protection against these attempts with
>>the defaults (I'm not 100% sure how to read the defaults yet)?
>>    
>>
>
>If you don't allow external ftp, your firewall will help, but nothing
>is 100%. However, the firewall won't help if you need to keep port 21
>open to the public.
>
>  
>
I noticed that vsftpd uses TCP Wrappers. So you could place the 
suspected IPs in the /etc/hosts.deny. Or maybe even better: (if 
possible) Place the ligimit IPs in the /etc/hosts.allow and block the rest.

Surely this is something diffirent than firewall-rules, but it's a start.
http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html

BTW: If you're familiar with scripting, the hosts.allow/deny files are 
wonderful to secure your system, since you don't need to restart you're 
vsftpd or sshd. (BTW: Apache does not support TCP Wrappers)

I'm planning to create a perlscript that actively monitors my logs and 
dynamicly adjusts the /etc/hosts.deny/allow files to automaticly secure 
my system.
If you're interested, you're invited/welcome to use it! :)

>>2. How do I configure the firewall/vsftpd to block repeated
>>unsuccessful attempts on the ftp server?
>>    
>>
>
>Repeated? The firewall isn't the best place to do that, either a
>config in the ftp server or something else. I'm not sure if vsftpd has
>this ability or not.
>
>  
>
>>3. How do I find out what username/passwords they're using in their
>>dictionary attack? (I'd like to know what is insecure)
>>    
>>
>
> I don't think this will benefit you much. You're better off making
>sure that you limit the access to the machine to the accounts that
>need it. Use /etc/vsftpd.user_list, which is a list of users that are
>allowed ftp, you'll need to activate it in the config (see below).
>
>  
>
>>4. Is there a GUI interface for the firewall that's intelligible
>>(WebMin sort of allows access but you need to understand its syntax to
>>do anything more than open up/closing ports and allowing access to
>>certain machines).
>>    
>>
>
> I haven't seen a decent IPTables GUI yet. It's a bit of a pain, but
>it's worth learning how to build your own firewall rules. There is a
>ton of info on the net, some of it good, some of it bad.
>
>  
>
>>PS Is there a better ftp server to use than vsftpd? It's quick and
>>dirty but it's not really that easily configured (I'd like to specify
>>ftp access for only certain users, and even then only for certain
>>directories).
>>    
>>
>
>vsftpd is actually pretty decent and has a decent security record
>(which is probably why it is the default ftp server on RH machines).
>It's a bit of a pain to configure, plus the default config script
>doesn't have all the config options. Check the man pages, especially:
>
> man vsftpd.conf
>
>It's fairly well documented.
>
>Cheers,
>
>Chris
>_______________________________________________
>yellowdog-general mailing list
>yellowdog-general at lists.terrasoftsolutions.com
>http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'
>
>  
>