[TriLUG] vsftpd and port scanning (or multiple failed logins)

Owen Berry oberry at trilug.org
Thu Mar 2 11:44:47 EST 2006 

Thanks for the link. Unfortunately it looks like this kind of thing
might not be as successful for vsftpd ... from the README file:

  VSFTPD does not work well with tcpd-wrapper blocking.
  Vsftpd keeps the same server process active for
  any number of login failures on that connection. This means even though
  that host-ip will be blocked in hosts.allow file, it won't take effect
  until that host disconnects and then tries to reconnect. The host is
  free to run 100s, 1000s, unlimited number of login attempts. Vsftpd does
  not have an equivalent of the MaxLoginAttempts configuration of ProFTPd.

It's better than nothing, I guess.

Owen

On Thu, Mar 02, 2006 at 11:36:46AM -0500, Douglas Ward wrote:
> I think that anyone that fails authentication that many times is
> suspicious.  I have started testing a script called blockhosts that scans
> the log file and places offending hosts in deny.hosts.  I use it for ssh but
> have seen in the log file where it supports vstfp.  Good luck!
> 
> http://www.aczoom.com/cms/blockhosts
> 
> On 3/2/06, Owen Berry <oberry at trilug.org> wrote:
> >
> > One of the servers I assist with managing has an ftp server that is
> > accessible in the wild (shiver). We get a lot of the following in our
> > log files:
> >
> > check pass; user unknown
> > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> > 194.250.176.129
> >
> > As far as I can tell, this indicates an attempt to login anonymously -
> > note the difference when a login fails with a real user:
> >
> > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> > xx.xxx.xxx.xxx user=yyy
> >
> > Can anyone confirm my suspicions of anonymous login? Or is this more of
> > an indication of a port scan? Why 1 host would try 696 times in a day is
> > beyond me, unless they are scanning.
> >
> > I was thinking of creating a script that scans the system log file and
> > blocks hosts (using hosts.deny) that fail at logging into the ftp server
> > too often during a time period. Maybe somebody knows of something that
> > does this already (?)
> >
> > Maybe I just need to persuade someone that they should abondon having an
> > ftp server.
> >
> > Thanks,
> > Owen

More information about the TriLUG mailing list