[TriLUG] vsftpd and port scanning (or multiple failed logins)
Douglas Ward
binaryflow at gmail.com
Thu Mar 2 11:36:46 EST 2006
I think that anyone that fails authentication that many times is
suspicious. I have started testing a script called blockhosts that scans
the log file and places offending hosts in deny.hosts. I use it for ssh but
have seen in the log file where it supports vstfp. Good luck!
http://www.aczoom.com/cms/blockhosts
On 3/2/06, Owen Berry <oberry at trilug.org> wrote:
>
> One of the servers I assist with managing has an ftp server that is
> accessible in the wild (shiver). We get a lot of the following in our
> log files:
>
> check pass; user unknown
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> 194.250.176.129
>
> As far as I can tell, this indicates an attempt to login anonymously -
> note the difference when a login fails with a real user:
>
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> xx.xxx.xxx.xxx user=yyy
>
> Can anyone confirm my suspicions of anonymous login? Or is this more of
> an indication of a port scan? Why 1 host would try 696 times in a day is
> beyond me, unless they are scanning.
>
> I was thinking of creating a script that scans the system log file and
> blocks hosts (using hosts.deny) that fail at logging into the ftp server
> too often during a time period. Maybe somebody knows of something that
> does this already (?)
>
> Maybe I just need to persuade someone that they should abondon having an
> ftp server.
>
> Thanks,
> Owen
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>
More information about the TriLUG
mailing list