[CLUE-Tech] vsftpd question
Charles Oriez
coriez at oriez.org
Mon Jun 14 08:31:39 MDT 2004
Running Red Hat 9.0 as a server
For the past few days, things like this have been showing up in my daily
LogWatch report
vsftpd:
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=217.44.61.85 : 1539 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=207.134.185.237 : 272 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=193.150.223.233 : 3441 Time(s)
check pass; user unknown: 15926 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=24.78.142.48 : 3441 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=68.5.196.104 : 3441 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=65.95.54.119 : 350 Time(s)
authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=80.35.205.230 : 3442 Time(s)
Given the numbers of failed attempts, it is obvious that a script kiddie is
going after us, so far without success. We have our system configured so
that you can not get remote access to root, so damage would be minor even
if they did get through to a user account. However, I'd like to take a few
extra steps.
Is there a way of limiting the maximum number of failed attempts from a
given IPA? I know that some of my users are fat fingered, so I don't want
anyone to be locked out on the first failure, but after say 10 failed
attempts from an IPA in a 24 hour period, I'd stop giving someone the
benefit of the doubt.
Is there a way to implement a tarpit? My idea is to have an automatic 3
second pause between prompts for login and password. That would be almost
invisible to a live user, but a script would take 5 hours to fail 3441
times, and have a minimal impact on bandwidth.
I went looking in online doc at the Red Hat site without much success.
I'm also open to other suggestions. I've denied access to our httpd daemon
for some overseas sites involved in this or other shenanigans, but I assume
that listing something in httpd.conf has no impact on vsftpd, and
vsftpd.conf doesn't seem to have a similar area for entering deny instructions.
Charles Oriez coriez at oriez.org
**
Save the hermetic seals.
More information about the clue-tech
mailing list