CentOS - Apr 2006 - First SSH now VSFTP

Seems the script kiddies are now hitting vsftp with dictionary attacks. 
I had three boxes showing around 12000 attempts from one IP yesterday.

My thoughts are that there should be an upstream solution for this which 
is then supported by the upstream vendor. Yes, I know there are several 
'other' solutions, but I'd really like to stay mainstream and use a 
supported method for dealing with these issues. I can't help but view 
them as security issues.

Best,
John Hinton

Use iptables to fw the ip,

do a whois on the ip to  find out who owns it. Also check the reverse lookup

See if there is a web server running at the ip address, if yes see what 
the content is.

Finally contact the owner of the IP as the ip address may be that of a 
box that has been used as a staging post and it has been compromised itself.

If vsftp uses the TCP wrapper, you can specify the frequency and number 
of connections in hosts.allow,  I don't use vsftp but I don't actually 
think it does use the wrapper, but it can be configured to...

This article shows both method of running it:

http://www.linuxfocus.org/English/July2004/article341.shtml

This might be useful too:

http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/

Hope this helps

P.



John Hinton wrote:
> Seems the script kiddies are now hitting vsftp with dictionary 
> attacks. I had three boxes showing around 12000 attempts from one IP 
> yesterday.
>
> My thoughts are that there should be an upstream solution for this 
> which is then supported by the upstream vendor. Yes, I know there are 
> several 'other' solutions, but I'd really like to stay
mainstream and
> use a supported method for dealing with these issues. I can't help but 
> view them as security issues.
>
> Best,
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

On 4/10/06, John Hinton <webmaster at ew3d.com>
wrote:
>
> Seems the script kiddies are now hitting vsftp with dictionary attacks.
> I had three boxes showing around 12000 attempts from one IP yesterday.
>
> My thoughts are that there should be an upstream solution for this which
> is then supported by the upstream vendor. Yes, I know there are several
> 'other' solutions, but I'd really like to stay mainstream and
use a
> supported method for dealing with these issues. I can't help but view
> them as security issues.
>
> hey,


You can set max_clients and max_per_ip

that means only these no.of clients(max_clients) can connect at a time and
only  these no. of sessions per  ipaddress(max_per_ip).

This may help in reducing the no.of attacks.

Regards

Ankush Grover
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060410/e07a6c23/attachment-0001.html>