[CLUE-Tech] vsftpd question

Charles Oriez coriez at oriez.org
Mon Jun 14 08:31:39 MDT 2004 

Running Red Hat 9.0 as a server

For the past few days, things like this have been showing up in my daily 
LogWatch report

vsftpd:
    Unknown Entries:
       authentication failure; logname= uid=0 euid=0 tty= ruser= 
rhost=217.44.61.85 : 1539 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= 
rhost=207.134.185.237 : 272 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= 
rhost=193.150.223.233 : 3441 Time(s)
       check pass; user unknown: 15926 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= 
rhost=24.78.142.48 : 3441 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= 
rhost=68.5.196.104 : 3441 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= 
rhost=65.95.54.119 : 350 Time(s)
       authentication failure; logname= uid=0 euid=0 tty= ruser= 
rhost=80.35.205.230 : 3442 Time(s)

Given the numbers of failed attempts, it is obvious that a script kiddie is 
going after us, so far without success.  We have our system configured so 
that you can not get remote access to root, so damage would be minor even 
if they did get through to a user account.  However, I'd like to take a few 
extra steps.

Is there a way of limiting the maximum number of failed attempts from a 
given IPA?  I know that some of my users are fat fingered, so I don't want 
anyone to be locked out on the first failure, but after say 10 failed 
attempts from an IPA in a 24 hour period, I'd stop giving someone the 
benefit of the doubt.

Is there a way to implement a tarpit? My idea is to have an automatic 3 
second pause between prompts for login and password. That would be almost 
invisible to a live user, but a script would take 5 hours to fail 3441 
times, and have a minimal impact on bandwidth.

I went looking in online doc at the Red Hat site without much success.

I'm also open to other suggestions.  I've denied access to our httpd daemon 
for some overseas sites involved in this or other shenanigans, but I assume 
that listing something in httpd.conf has no impact on vsftpd, and 
vsftpd.conf doesn't seem to have a similar area for entering deny instructions.



Charles Oriez        coriez at oriez.org
**
Save the hermetic seals.

More information about the clue-tech mailing list