[ydl-gen] Attempted hack of FTP server

Derick Centeno aguilarojo at verizon.net
Tue Aug 29 10:06:49 MDT 2006 

Greetings All!

I thought to jump in and share some information which could be useful 
in this thread.  Here are two suggestions:

1.  Regarding tracking down who is actually doing what and where as far 
as attempted hacks.  For getting a record or report regarding what is 
being attacked (so you can later close those vulnerabilities, of 
course) there are few tools as reliable as Open Source Tripwire 
(http://sourceforge.net/projects/tripwire).  I've run it with YDL and 
it is very thorough.  If you eventually develop into a commercial 
service you perhaps may then be interested in the commercial version 
from tripwire (http://www.tripwire.com/).

2.  There exists a hardware firewall device which actually sits between 
the incoming DSL or faster connection and that connection leading to 
your computer.
I currently have it setup so that it sits between the incoming 
high-speed connection and my wireless router.  When I'm using YDL I 
connect to that router with an ethernet cable.  The hardware firewall 
device itself fits within one's palm and is extremely portable.  The 
device is constructed so that it acts completely independently of the 
operating system.  More detailed information regarding it is available 
here:

http://stingrayinc.com/

As much respect as I have for software firewalls and tripwire, in 
particular -- this hardware firewall known as the Stingray Firewall, is 
just what the small fellow -- independent, non-commercial individuals 
and non-profits providing IT services via their servers -- need.  This 
isn't hype, it is reality and is available for a paltry cost of $80.  
The hardware device provides anti-phishing protection as well and will 
function nicely within a commercial or non-commercial environment.

Once you register the device with the manufacturer it will be updated 
perpetually at no further cost to you.  No update fees -- nada -- 
nothing!  Also there exists an antivirus software package provided free 
by the same company  to individuals who are not businesses and 
non-profit which protects further your operating system.  I've been 
informed that a Mac version of their antivirus product is under 
development.  However, one can install and activate for either OS X or 
YDL, the native firewall and Clam Antivirus.  Activating the native 
firewall or clam antivirus won't affect or limit the Stingray.  If you 
are interested in purchasing it, you can get it from here:

http://www.thinkgeek.com/computing/accessories/75f3/

One more comment, regarding the Stingray.  Once you have the Stingray, 
I doubt any hacker will be able to get past it to activate tripwire.  
This may make tripwire relegated to tracking illegal activities within 
a network behind the protection provided by the Stingray as one need 
not worry about that anymore.

It's great to see the YDL community up and kicking!

Best wishes.... Derick.


On Aug 29, 2006, at 9:07 AM, Eric Dunbar wrote:

> On 29/08/06, Christopher Murtagh wrote:
>> On 8/28/06, Eric Dunbar wrote:
>>> I recently activated vsftpd on my server and I'm noticing statistics
>>> in the daily server report (automagically sent to root by all 
>>> servers)
>>> that suggest someone's trying a dictionary attack (presumably) on my
>>> ftp server (10000+ login attempts ;-).
>>
>>> 3. How do I find out what username/passwords they're using in their
>>> dictionary attack? (I'd like to know what is insecure)
>>
>>  I don't think this will benefit you much. You're better off making
>> sure that you limit the access to the machine to the accounts that
>> need it. Use /etc/vsftpd.user_list, which is a list of users that are
>> allowed ftp, you'll need to activate it in the config (see below).
>
> In vsftpd.user_list there's a reference to another solution for
> blocking users. The file "/etc/vsftpd.ftpusers" contains a list of
> users to deny, and (as far as I can tell), it does ask for a password
> (unlike .user_list won't when it's DENYing users) so a potential
> hacker won't even be able to discover user names on the system.
>
> Now I'm down to one public user and that user has a secure password
> anyway (unlike some of the others... I should really get around to
> implementing/learning how to allow passwordless ssh and smb access
> specified local machines ;-).
>
> Plus, it doesn't really matter if that account is compromised since
> nothing personal is available through that account (though, it could
> be used to distribute files, I guess).
>
> Thanks to Chris and Peter-Paul
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general at lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
> HINT: to Google archives, try  '<keywords> site:terrasoftsolutions.com'
>

More information about the yellowdog-general mailing list