[TriLUG] vsftpd and port scanning (or multiple failed logins)

Matthew Lavigne maillist at shenandoahkennels.net
Thu Mar 2 12:32:27 EST 2006


Owen,

Other option that is available is to move to proftpd.  It can run as a 
daemon rather than using xinetd and that makes it much more configurable 
(in my opinion).  Additionally it gives you the chance to use hosts.deny 
to drop the worst offenders and then you too can determine what it means 
to be a "worst offender"

Matthew Lavigne


Owen Berry wrote:
> Thanks for the link. Unfortunately it looks like this kind of thing
> might not be as successful for vsftpd ... from the README file:
>
>   VSFTPD does not work well with tcpd-wrapper blocking.
>   Vsftpd keeps the same server process active for
>   any number of login failures on that connection. This means even though
>   that host-ip will be blocked in hosts.allow file, it won't take effect
>   until that host disconnects and then tries to reconnect. The host is
>   free to run 100s, 1000s, unlimited number of login attempts. Vsftpd does
>   not have an equivalent of the MaxLoginAttempts configuration of ProFTPd.
>
> It's better than nothing, I guess.
>
> Owen
>
> On Thu, Mar 02, 2006 at 11:36:46AM -0500, Douglas Ward wrote:
>   
>> I think that anyone that fails authentication that many times is
>> suspicious.  I have started testing a script called blockhosts that scans
>> the log file and places offending hosts in deny.hosts.  I use it for ssh but
>> have seen in the log file where it supports vstfp.  Good luck!
>>
>> http://www.aczoom.com/cms/blockhosts
>>
>> On 3/2/06, Owen Berry <oberry at trilug.org> wrote:
>>     
>>> One of the servers I assist with managing has an ftp server that is
>>> accessible in the wild (shiver). We get a lot of the following in our
>>> log files:
>>>
>>> check pass; user unknown
>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>> 194.250.176.129
>>>
>>> As far as I can tell, this indicates an attempt to login anonymously -
>>> note the difference when a login fails with a real user:
>>>
>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>> xx.xxx.xxx.xxx user=yyy
>>>
>>> Can anyone confirm my suspicions of anonymous login? Or is this more of
>>> an indication of a port scan? Why 1 host would try 696 times in a day is
>>> beyond me, unless they are scanning.
>>>
>>> I was thinking of creating a script that scans the system log file and
>>> blocks hosts (using hosts.deny) that fail at logging into the ftp server
>>> too often during a time period. Maybe somebody knows of something that
>>> does this already (?)
>>>
>>> Maybe I just need to persuade someone that they should abondon having an
>>> ftp server.
>>>
>>> Thanks,
>>> Owen
>>>       





More information about the TriLUG mailing list