[ydl-gen] Attempted hack of FTP server

[Eric Dunbar]

On 29/08/06, Peter-Paul <peter-paul at multiweb.nl> wrote:
> Christopher Murtagh wrote:
>
> >On 8/28/06, Eric Dunbar <eric.dunbar at gmail.com> wrote:
> >
> >>I recently activated vsftpd on my server and I'm noticing statistics
> >>in the daily server report (automagically sent to root by all servers)
> >>that suggest someone's trying a dictionary attack (presumably) on my
> >>ftp server (10000+ login attempts ;-).
> >
> >Welcome to the world of having a publicly facing machine. :-(
> >You'll probably get piles of ssh attempts too, and lots of other
> >things, many of which aren't even Linux related.
> >
> >>1. Will the firewall provide protection against these attempts with
> >>the defaults (I'm not 100% sure how to read the defaults yet)?
> >
> >If you don't allow external ftp, your firewall will help, but nothing
> >is 100%. However, the firewall won't help if you need to keep port 21
> >open to the public.
>
> I noticed that vsftpd uses TCP Wrappers. So you could place the
> suspected IPs in the /etc/hosts.deny. Or maybe even better: (if
> possible) Place the ligimit IPs in the /etc/hosts.allow and block the rest.
>
> Surely this is something diffirent than firewall-rules, but it's a start.
> http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html
>
> BTW: If you're familiar with scripting, the hosts.allow/deny files are
> wonderful to secure your system, since you don't need to restart you're
> vsftpd or sshd. (BTW: Apache does not support TCP Wrappers)
>
> I'm planning to create a perlscript that actively monitors my logs and
> dynamicly adjusts the /etc/hosts.deny/allow files to automaticly secure
> my system.
> If you're interested, you're invited/welcome to use it! :)

Thanks for the URL -- I will implement that solution (but, I'd also
like to know how to get iptables to do it too ;-).

As for the perl script, if and when you finish it, feel free to send
it along ;-) (or post it here). I wouldn't mind seeing it.

Eric.