thwarting repeated login attempts
I have installed denyhosts from the ports to stop ssh attacks, but I have discovered a vulnerability, that is new to me. Denyhosts does not seem to notice FTP login attempts, so the cracker can attempt to login via FTP, 1000's of times until he finds a login/password combination. Once he has a login/password combo, he can simple login via ssh, (provided that user has a shell account). Is there anyway to block multiple FTP login attempts? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: thwarting repeated login attempts
David Banning wrote: I have installed denyhosts from the ports to stop ssh attacks, but I have discovered a vulnerability, that is new to me. Denyhosts does not seem to notice FTP login attempts, so the cracker can attempt to login via FTP, 1000's of times until he finds a login/password combination. Pardon the stupid question, but I'm assuming it's necessary that you run ftpd? We block ftpd at the firewall to any machines outside the LAN. Anyone who needs FTP access uses a client that's capable of using sftp instead, and logs in with their SSH credentials. Once he has a login/password combo, he can simple login via ssh, (provided that user has a shell account). Is there anyway to block multiple FTP login attempts? Kevin Kinsey -- Make it myself? But I'm a physical organic chemist! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: thwarting repeated login attempts
> >I have discovered a vulnerability, that is new to me. Denyhosts > >does not seem to notice FTP login attempts, so the cracker can > >attempt to login via FTP, 1000's of times until he finds a > >login/password combination. > > > > Pardon the stupid question, but I'm assuming it's necessary that you run > ftpd? We block ftpd at the firewall to any machines outside the LAN. > Anyone who needs FTP access uses a client that's capable of using sftp > instead, and logs in with their SSH credentials. Hmm - interesting - I just -may- be able to disable using ftpd. But I still pose the same question - what do ftp servers do on this? Maybe -not- have ssh login? -or- maybe not have ssh login using the same login/password? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: thwarting repeated login attempts
In response to David Banning <[EMAIL PROTECTED]>: > I have installed denyhosts from the ports to stop ssh attacks, but > I have discovered a vulnerability, that is new to me. Denyhosts > does not seem to notice FTP login attempts, so the cracker can > attempt to login via FTP, 1000's of times until he finds a > login/password combination. We refuse to run ftp because it's nearly impossible to secure. > Once he has a login/password combo, he can simple login via ssh, > (provided that user has a shell account). Yeah, that's really bad. You can end up with the same problem if you run smtp auth without tls. > Is there anyway to block multiple FTP login attempts? I'm sure there is, but why bother? It would actually be _easier_ for most crooks to simply sniff the passwords right off the wire. If you really think it's worthwhile, you can probably tweak denyhosts to properly regex the ftp logs. A better solution (assuming you can't ditch ftp, which would be the _best_ choice) would be to set up your ftpd so it has different passwords than ssh/scp. There are a number of ftp servers out there capable of this. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: thwarting repeated login attempts
David Banning wrote: I have discovered a vulnerability, that is new to me. Denyhosts does not seem to notice FTP login attempts, so the cracker can attempt to login via FTP, 1000's of times until he finds a login/password combination. Pardon the stupid question, but I'm assuming it's necessary that you run ftpd? We block ftpd at the firewall to any machines outside the LAN. Anyone who needs FTP access uses a client that's capable of using sftp instead, and logs in with their SSH credentials. Hmm - interesting - I just -may- be able to disable using ftpd. But I still pose the same question - what do ftp servers do on this? Maybe -not- have ssh login? -or- maybe not have ssh login using the same login/password? I'm also interested; my version of the question is probably more like, "is anyone in their right mind running ftpd over the WAN for anything but an anonymous user"? [1] Note that I'm _not_ trying to be critical. However, in the current state of things [2], I don't see anything involving unencrypted authentication as valid for WAN(Internet) operations. Kevin Kinsey [1] Granted, other strategies might work; firewalling and/or tcpwrappers might work. [2] An interesting read - "The Internet Sucks" - http://www.macleans.ca/topstories/life/article.jsp?content=20061030_135406_135406 -- Computers will not be perfected until they can compute how much more than the estimate the job will cost. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: thwarting repeated login attempts
Le Vendredi 26 Janvier 2007 15:50, Kevin Kinsey a écrit : > David Banning wrote: > >>> I have discovered a vulnerability, that is new to me. Denyhosts > >>> does not seem to notice FTP login attempts, so the cracker can > >>> attempt to login via FTP, 1000's of times until he finds a > >>> login/password combination. > >> > >> Pardon the stupid question, but I'm assuming it's necessary that > >> you run ftpd? We block ftpd at the firewall to any machines > >> outside the LAN. Anyone who needs FTP access uses a client that's > >> capable of using sftp instead, and logs in with their SSH > >> credentials. > > > > Hmm - interesting - I just -may- be able to disable using ftpd. > > > > But I still pose the same question - what do ftp servers do on > > this? Maybe -not- have ssh login? -or- maybe not have ssh login > > using the same login/password? > > I'm also interested; my version of the question is probably more > like, "is anyone in their right mind running ftpd over the WAN for > anything but an anonymous user"? [1] You can run OpenBSD's pf in combination with authpf. This mechanism will alter firewall rules based on successful SSH logins. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: thwarting repeated login attempts
> > I have installed denyhosts from the ports to stop ssh attacks, but > > I have discovered a vulnerability, that is new to me. Denyhosts > > does not seem to notice FTP login attempts, so the cracker can > > attempt to login via FTP, 1000's of times until he finds a > > login/password combination. > > We refuse to run ftp because it's nearly impossible to secure. so that's what I have decided - and went with sftp exclusively. thanks - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: thwarting repeated login attempts
Peter Matulis <[EMAIL PROTECTED]> writes: > You can run OpenBSD's pf in combination with authpf. This mechanism > will alter firewall rules based on successful SSH logins. authpf is great, but even overload rules can go a long way towards eliminating the original poster's problem, see eg the suggestions in my tutorial at http://home.nuug.no/~peter/pf/en/bruteforce.html (http://home.nuug.no/~peter/pf/ for the full manuscript in a variety of formats). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
