Find the answer to your Linux question:
Results 1 to 3 of 3
I'm getting quite sick of seeing these things in my logs: Code: May 15 18:02:09 localhost proftpd[17635]: localhost.localdomain (66.232.129.62[66.232.129.62]) - USER mark (Login failed): Incorrect password. May 15 18:02:09 localhost ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2006
    Posts
    3

    proftpd brute-force attack - any help at all?


    I'm getting quite sick of seeing these things in my logs:

    Code:
    May 15 18:02:09 localhost proftpd[17635]: localhost.localdomain (66.232.129.62[66.232.129.62]) - USER mark (Login failed): Incorrect password.
    May 15 18:02:09 localhost proftpd[17635]: localhost.localdomain (66.232.129.62[66.232.129.62]) - PAM(mark): Authentication failure.
    May 15 18:02:10 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62  user=mark
    May 15 18:02:11 localhost proftpd[17635]: localhost.localdomain (66.232.129.62[66.232.129.62]) - USER mark (Login failed): Incorrect password.
    May 15 18:02:11 localhost proftpd[17635]: localhost.localdomain (66.232.129.62[66.232.129.62]) - PAM(mark): Authentication failure.
    May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62  user=mark
    May 15 18:02:14 localhost proftpd[18064]: localhost.localdomain (66.232.129.62[66.232.129.62]) - USER mark (Login failed): Incorrect password.
    May 15 18:02:14 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62  user=mark
    May 15 18:02:14 localhost proftpd[18064]: localhost.localdomain (66.232.129.62[66.232.129.62]) - PAM(mark): Authentication failure.
    May 15 18:02:16 localhost proftpd[18064]: localhost.localdomain (66.232.129.62[66.232.129.62]) - USER mark (Login failed): Incorrect password.
    May 15 18:02:16 localhost proftpd[18064]: localhost.localdomain (66.232.129.62[66.232.129.62]) - PAM(mark): Authentication failure.
    May 15 18:02:18 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62  user=mark
    May 15 18:02:21 localhost proftpd[18064]: localhost.localdomain (66.232.129.62[66.232.129.62]) - USER mark (Login failed): Incorrect password.
    May 15 18:02:21 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62  user=mark
    May 15 18:02:21 localhost proftpd[18064]: localhost.localdomain (66.232.129.62[66.232.129.62]) - PAM(mark): Authentication failure.
    I get these CONSTANTLY. I would love proftp to notice this and do something - I think it would be more safe to throw the ip in /etc/hosts.deny after, oh, I don't know, 500 failed login attempts in an hour... or at least after 5-10 attempts block that IP for 5-10 minutes.

    It wouldn't bother me except when it finds a username that actually exists on the system, it seems to focus on that with a more specific password attack. I can't see the passwords it's trying of course, so I don't know how good it is.

    I wish there was a fix for sshd too, this happens there too and I think there should be a better solution than moving the daemons to unusual ports or setting up port knocking.

    Any ideas?

  2. #2
    Just Joined!
    Join Date
    May 2006
    Posts
    3

    Smile May be this can help you ...

    may be this site can help you.

    www.webhostgear.com/314.html

    regards
    DreamTeam

  3. #3
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,807
    As much as you dont like it, moving to a different port for both sshd and anything else you want gets rid of 99% of this crap.

    Might I also suggest that you consider:

    - Only allow access through sshd
    - turn off password access for sshd
    - only allow ftp over the secure (ssh) channel.
    - If you use ssh from the same place all the time (e.g. from work) only, then perhaps consider limiting access to the demon from only specific ip addresses using the iptables stuff.
    Linux user #126863 - see http://linuxcounter.net/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •