[TriLUG] vsftpd and port scanning (or multiple failed logins)

Owen Berry oberry at trilug.org
Thu Mar 2 13:27:57 EST 2006


On Thu, Mar 02, 2006 at 12:50:19PM -0500, Ian Kilgore wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Owen Berry wrote:
> | Can anyone confirm my suspicions of anonymous login? Or is this more of
> | an indication of a port scan? Why 1 host would try 696 times in a day is
> | beyond me, unless they are scanning.
> 
> Why one host would try an anonymous login 696 times against your one
> host, even /if/ it's zombied, is beyond me, too.  You would think, that
> after one (maybe even two) tries, this script would give up, or try a
> different username -_-
> 
> Anyway, a port scan would (should) just be an opened and then dropped
> connection - a connect scan, anyway.  I doubt a syn scan, or any others,
> would show up in your ftpd logs as a failed login (although they
> certainly are detectable..)
> 
> Either way, 696 times from one host to one host seems.. odd.

Yes, it does. I think a manual addition of this address to the
hosts.deny will be a good first step. :-)

Owen



More information about the TriLUG mailing list