[ydl-gen] Attempted hack of FTP server

[Eric Dunbar]

On 29/08/06, Christopher Murtagh <christopher.murtagh at gmail.com> wrote:
> On 8/28/06, Eric Dunbar <eric.dunbar at gmail.com> wrote:
> > I recently activated vsftpd on my server and I'm noticing statistics
> > in the daily server report (automagically sent to root by all servers)
> > that suggest someone's trying a dictionary attack (presumably) on my
> > ftp server (10000+ login attempts ;-).
>
> Welcome to the world of having a publicly facing machine. :-(
> You'll probably get piles of ssh attempts too, and lots of other
> things, many of which aren't even Linux related.

Fortunately, the only things facing the outside world are httpd (which
is a relatively secure server, aside from the two galleries I run) and
now vsftpd.

> > 2. How do I configure the firewall/vsftpd to block repeated
> > unsuccessful attempts on the ftp server?
>
> Repeated? The firewall isn't the best place to do that, either a
> config in the ftp server or something else. I'm not sure if vsftpd has
> this ability or not.
>
> > 3. How do I find out what username/passwords they're using in their
> > dictionary attack? (I'd like to know what is insecure)
>
>  I don't think this will benefit you much. You're better off making
> sure that you limit the access to the machine to the accounts that
> need it. Use /etc/vsftpd.user_list, which is a list of users that are
> allowed ftp, you'll need to activate it in the config (see below).

I'm just curious to find out what someone is trying as username and password.

Hmm. The man pages for vsftpd.conf are about as clear as mud (to me
;-) when it comes to userlist :-(.  Thank you for the hint -- time to
search for some details using the great Google.

> > 4. Is there a GUI interface for the firewall that's intelligible
> > (WebMin sort of allows access but you need to understand its syntax to
> > do anything more than open up/closing ports and allowing access to
> > certain machines).
>
>  I haven't seen a decent IPTables GUI yet. It's a bit of a pain, but
> it's worth learning how to build your own firewall rules. There is a
> ton of info on the net, some of it good, some of it bad.

I think I've got the basics down (allow/deny ports/protocol/single IP
address), but, frankly, I don't think my server is any more secure
than it was before (at the moment, that is).

I already had a router in front of the server and until recently it
only redirected requests (a few ports, including 80 and 443) to apache
on the server (now also port 21).

I guess now I've blocked access to one IP (though, it's easy to change
IPs if you're not static) but I couldn't figure out how to specify a
range for the IP "source address or network" using trial and error in
WebMin (it didn't like "192.1.1.*" or "192.1.1.1-192.1.1.5" or
"192.1.1."). The man page for iptables didn't help me figure out the
formatting either (I'm not sure whether this is indeed the option that
will allow me to specify a range of IPs or my own little network
(192.168.0.*):

       -s, --source [!] address[/mask]
              hostname (please note that specifying any name to  be  resolved
              with  a  remote query such as DNS is a really bad idea), a net-
              work IP address (with /mask), or a plain IP address.  The  mask
              can  be either a network mask or a plain number, specifying the
              number of 1's at the left side of the network  mask.   Thus,  a
              mask  of  24  is  equivalent  to 255.255.255.0.  A "!" argument
              before the address  specification  inverts  the  sense  of  the
              address. The flag --src is an alias for this option.

Thanks for all your help, Eric.