[TriLUG] vsftpd and port scanning (or multiple failed logins)
Owen Berry
oberry at trilug.org
Thu Mar 2 11:11:31 EST 2006
One of the servers I assist with managing has an ftp server that is
accessible in the wild (shiver). We get a lot of the following in our
log files:
check pass; user unknown
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=194.250.176.129
As far as I can tell, this indicates an attempt to login anonymously -
note the difference when a login fails with a real user:
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=xx.xxx.xxx.xxx user=yyy
Can anyone confirm my suspicions of anonymous login? Or is this more of
an indication of a port scan? Why 1 host would try 696 times in a day is
beyond me, unless they are scanning.
I was thinking of creating a script that scans the system log file and
blocks hosts (using hosts.deny) that fail at logging into the ftp server
too often during a time period. Maybe somebody knows of something that
does this already (?)
Maybe I just need to persuade someone that they should abondon having an
ftp server.
Thanks,
Owen
More information about the TriLUG
mailing list