ftp uses a variety of ports in pasv mode. What works for me is to limit
the ports used for data in the ftp configuration, and open those ports
in the firewall.
If you use vsftpd, the pasv_min_port and pasv_max_port lets you define
this range of ports. If you only have one user, you can use the same
port for min and max.
You probably should also change the listen_port so you're not using
standard ports at all. Same rationale as not using ssh on port 22. I
generally don't believe in security by obscurity, but at least it keeps
the script kiddies at bay.
(Wild in the West)
--
-Eric 'shubes'
On 04/03/2014 11:43 AM, Eric Broch wrote:
On 4/3/2014 9:18 AM, Angus McIntyre wrote:
If you haven't implemented fail2ban on your qmail toasters, think
seriously about doing so.
There are at least two botnet-based password-guessing campaigns
currently ongoing. One is trying SMTP authentication against role
accounts (e.g. 'admin@', 'info@') at known domains. It was this one
that prompted initial recent discussion of fail2ban on this list.
The other, which I think just started today, is trying to do POP3
authentication, using email addresses taken from mailing lists used by
spammers. Because these lists are mostly nonsense, this will result in
hundreds or thousands of attempts to authenticate against non-existent
users, but I suppose they might eventually start hitting some existing
addresses.
Because of the stupidity of these attempts, I would think that they're
very unlikely to succeed at most hosts. However, if left to run
unchecked they will probably start to soak up noticeable amounts of
resources. The spammers appear to be deploying increasingly large
botnets, and each host will keep trying until banned.
The instructions at:
http://wiki.qmailtoaster.com/index.php/Fail2Ban
for setting up fail2ban seem pretty good.
This has been a public service announcement.
Angus
Angus,
I've installed f2b on my home and a clients email server. One problem
that manifested itself was the inability to use FTP, from anywhere
outside my network firewall. Before turning on f2b and the QTP firewall
script (firewall.sh) those 'outside' could access my ftp site. After
iptables is turned on, no such luck. I think the problem is with
iptables and not f2b. I worked for about 6 hours on this to get it
resolved after one from the QTP community could not download my DSPAM
project. Finally, I simply turned of iptables and everything works. I'd
sure like to get f2b with iptables working again.
(Stumped in the west)
EricB
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
