Christopher Murtagh wrote: >On 8/28/06, Eric Dunbar <[EMAIL PROTECTED]> wrote: > > >>I recently activated vsftpd on my server and I'm noticing statistics >>in the daily server report (automagically sent to root by all servers) >>that suggest someone's trying a dictionary attack (presumably) on my >>ftp server (10000+ login attempts ;-). >> >> > >Welcome to the world of having a publicly facing machine. :-( >You'll probably get piles of ssh attempts too, and lots of other >things, many of which aren't even Linux related. > > > >>1. Will the firewall provide protection against these attempts with >>the defaults (I'm not 100% sure how to read the defaults yet)? >> >> > >If you don't allow external ftp, your firewall will help, but nothing >is 100%. However, the firewall won't help if you need to keep port 21 >open to the public. > > > I noticed that vsftpd uses TCP Wrappers. So you could place the suspected IPs in the /etc/hosts.deny. Or maybe even better: (if possible) Place the ligimit IPs in the /etc/hosts.allow and block the rest.
Surely this is something diffirent than firewall-rules, but it's a start. http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html BTW: If you're familiar with scripting, the hosts.allow/deny files are wonderful to secure your system, since you don't need to restart you're vsftpd or sshd. (BTW: Apache does not support TCP Wrappers) I'm planning to create a perlscript that actively monitors my logs and dynamicly adjusts the /etc/hosts.deny/allow files to automaticly secure my system. If you're interested, you're invited/welcome to use it! :) >>2. How do I configure the firewall/vsftpd to block repeated >>unsuccessful attempts on the ftp server? >> >> > >Repeated? The firewall isn't the best place to do that, either a >config in the ftp server or something else. I'm not sure if vsftpd has >this ability or not. > > > >>3. How do I find out what username/passwords they're using in their >>dictionary attack? (I'd like to know what is insecure) >> >> > > I don't think this will benefit you much. You're better off making >sure that you limit the access to the machine to the accounts that >need it. Use /etc/vsftpd.user_list, which is a list of users that are >allowed ftp, you'll need to activate it in the config (see below). > > > >>4. Is there a GUI interface for the firewall that's intelligible >>(WebMin sort of allows access but you need to understand its syntax to >>do anything more than open up/closing ports and allowing access to >>certain machines). >> >> > > I haven't seen a decent IPTables GUI yet. It's a bit of a pain, but >it's worth learning how to build your own firewall rules. There is a >ton of info on the net, some of it good, some of it bad. > > > >>PS Is there a better ftp server to use than vsftpd? It's quick and >>dirty but it's not really that easily configured (I'd like to specify >>ftp access for only certain users, and even then only for certain >>directories). >> >> > >vsftpd is actually pretty decent and has a decent security record >(which is probably why it is the default ftp server on RH machines). >It's a bit of a pain to configure, plus the default config script >doesn't have all the config options. Check the man pages, especially: > > man vsftpd.conf > >It's fairly well documented. > >Cheers, > >Chris >_______________________________________________ >yellowdog-general mailing list >[email protected] >http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general >HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com' > > > _______________________________________________ yellowdog-general mailing list [email protected] http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
