On Thu, 2006-11-16 at 21:09 +0200, Alan McKinnon wrote: > On Thursday 16 November 2006 20:29, Michael Sullivan wrote: > > Can anyone tell me why I have about a hundred of these > > > > Nov 16 08:00:03 bullet ftp(pam_unix)[2045]: authentication failure; > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > > Nov 16 08:00:06 bullet ftp(pam_unix)[2045]: authentication failure; > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > > Nov 16 08:00:09 bullet ftp(pam_unix)[2045]: authentication failure; > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > > Nov 16 08:00:12 bullet ftp(pam_unix)[2045]: authentication failure; > > logname= uid=0 euid=0 tty= ruser= rhost=222.135.146.45 > > > > when that IP address is in /etc/ipkungfu/deny_hosts.conf? Here's my > > rules; I don't understand them: > > [snip] > > > 1 55 DROP all -- eth0 any 222.135.146.45 > > anywhere > > Some scipt kiddie is trying a brute force attack on your ftp port trying > random combinations of user name and pasword every three seconds. > > 'dig 45.146.135.222.in-addr.arpa PTR' tells me that the address belongs > to some maschine on network sdjnptt.net.cn and that turns out to be > what looks like some chinese isp. > > So, a chinese person is trying to exploit your machine. Hey, it happens. > And will happen for about the rest of your life. The solution is to > drop them at the firewall, and the above rule is doing exactly that. > > This specific attack from this specific person at that specific address > si no longer something you need to worry about :-) > > > alan >
So why do I get the hourly log reports (from logcheck) saying that this IP is trying to access my FTP? How does vsftpd know about this if they're being dropped at the firewall? -- gentoo-user@gentoo.org mailing list